I recently upgraded my Public IP SKU in Azure from Basic to Standard as Microsoft has been recommending. Immediately after the upgrade, my VPN tunnel to Azure went down, and I'm trying to figure out what's going wrong. I contacted support, but their suggestions have mostly involved rebooting things, and at one point they even hinted that the issue might be with my Cisco setup (Firepower ASA on-prem and vASA in Azure). This seems odd since the only change I made was the IP upgrade. If anyone has more experience with Azure and could help me understand what might have broken, I'd greatly appreciate it! Thanks in advance!
4 Answers
Did you happen to use the migration script from Azure's guidelines? It might help if you did, as it eases the transition during upgrades like this.
Was your public IP address changed in the process? If so, phase 1 of your VPN could fail due to mismatched IP. Can you check what your on-prem device reports?
Nope, the public IP stayed the same. It seems like a simple SKU upgrade shouldn’t affect the existing configuration. My on-prem device just says the target endpoint is down.
Do you have a network security group (NSG) attached to your VM's NIC? That’s necessary for allowing traffic with a Standard IP SKU. Can you clarify if your VPN endpoint is a Virtual Network Gateway or a VM?
Yes, I’ve had an NSG attached all along, and it was configured to allow traffic before the upgrade. My Azure endpoint is actually a Cisco virtual ASA VM, so I suspect there's something else that’s changed with the IP SKU upgrade.
If you didn’t read through the instructions properly, there was expected downtime while the IP gets disassociated. Make sure you checked that step thoroughly, or else you might be sending the wrong message to support.
I get where you're coming from, but I did follow the documentation accurately. Although downtime is expected when dissociating the IP for the upgrade, I didn’t think the tunnel would stay down once re-associated. That’s the part I’m still struggling with.
No, I just followed the general Microsoft documentation for this upgrade. I dissociated the IP, upgraded, and then reassociated it, so everything seemed straightforward until my tunnel went down.