|
This issue could happen when there is a misconfiguration in SDN configuration -> Config NIC -> Config IP.
For example, if the SDN connector configuration is as below:
config system sdn-connector
edit "Azure-SDN"
set type azure
set ha-status enable
set subscription-id "3bcac138-988a-486a-8da4-e3e87b505e1d"
set resource-group "co-cnx3-fwl-rg-01"
set azure-region china
config nic
edit "cocnx3vm-FGT-A-Nic1"
config ip
edit "ipconfig1"
set public-ip "co-cnx3-fgt-pip-ext01"
next
end
next
end
This SDN config can cause the public IP disassociation in the Azure portal for the FortiGate instance because there is a typo in the ipconfig.
From the azd log, it found public IP 'co-cnx3-fgt-pip-ext01' in ipconfig 'ipconfig01':
2025-10-01 19:37:08 found pub ip co-cnx3-fgt-pip-ext01 in resource group co-cnx3-fwl-rg-01
2025-10-01 19:37:08 ipconfig id: /subscriptions/3bcac138-988a-486a-8da4-e3e87b505e1d/resourceGroups/co-cnx3-fwl-rg-01/providers/Microsoft.Network/networkInterfaces/cocnx3vm-FGT-A-Nic1/ipConfigurations/ipconfig01
While in the SDN config, the ipconfig name is written as 'ipconfig1':
config nic
edit "cocnx3vm-FGT-A-Nic1"
config ip
edit "ipconfig1"
set public-ip "co-cnx3-fgt-pip-ext01"
next
end
next
end
From the azd daemon's perspective, it is asked to associate the public IP 'co-cnx3-fgt-pip-ext01' to 'ipconfig1'. So it removes the public IP from 'ipconfig01' first, then tries to associate it with 'ipconfig1'. Since 'ipconfig1' does not exist so the association failed and leaves the public IP disassociated. This disassociation will result in issues like the VPN tunnel going down and losing access to FortiGate over a public IP. To gain access again, the public IP has to be associated with the Azure portal.
To fix this issue, change the ipconfig name in the SDN configuration in FortiGate to 'ipconfig01' instead of 'ipconfig1'.
|
