Share via

Unexpected Route Inheritance in P2S VPN from S2S VPN

Ivan 0 Reputation points
2025-02-25T18:14:52.82+00:00

Description: We are experiencing an issue with Point-to-Site (P2S) VPN clients inheriting routes from the Site-to-Site (S2S) VPN connection. Our setup does not use BGP, so all routes are managed manually. However, despite explicitly blocking certain routes at the P2S level, they are still being inherited from the S2S VPN.

Environment Details:

  • Virtual Network Gateway Name: TF-vNetGW
  • P2S VPN Address Space: Configured under Point-to-site configuration
  • S2S VPN Connection Name: TF-S2S
  • Local Network Gateway Name: TF-Office
  • BGP Status: Disabled
  • Route Management: Using Azure Route Tables (UDR)

Issue Observed:

  1. Routes 10.7.0.0/24 and 10.2.211.0/24 should be accessible via S2S VPN only but are unexpectedly being advertised to P2S VPN clients.
  2. Route Tables (UDR) have been configured to block these routes for P2S, but they still appear in the Get-NetRoute output on client machines.
  3. Additional routes to advertise under P2S VPN does NOT include these networks, yet they are still inherited.
  4. Resetting the Virtual Network Gateway and recreating Route Tables did not resolve the issue.

Steps Taken to Fix the Issue:

Created a Route Table (P2S-RouteTable) and assigned it to the P2S VPN subnet. ✅ Set up blocking rules (NextHopType = None) for 10.7.0.0/24 and 10.2.211.0/24. ✅ Ensured these networks are NOT listed in Additional routes to advertise under P2S configuration.Reset Virtual Network Gateway (Reset-AzVirtualNetworkGateway).Deleted and recreated Route Tables from scratch.

Expected Behavior:

  • S2S VPN should NOT push routes to P2S clients.
  • Blocked routes (10.7.0.0/24 and 10.2.211.0/24) should NOT appear in the P2S VPN route table.
  • P2S clients should only use manually configured routes.

Request for Assistance:

  • Is there a hidden dependency causing these routes to persist in the P2S VPN client route table?
  • Is there a way to force route isolation between P2S and S2S VPN in Azure, apart from UDR?
  • Could there be an Azure-side caching issue, and if so, how do we clear it?
  • Are there any recent changes in how Azure VPN processes routes that could affect this behavior?

Please advise on how to ensure route isolation between S2S and P2S VPN in a non-BGP setup.

Thank you.

Unexpected Route Inheritance in P2S VPN from S2S VPN

Description:
We are experiencing an issue with Point-to-Site (P2S) VPN clients inheriting routes from the Site-to-Site (S2S) VPN connection. Our setup does not use BGP, so all routes are managed manually. However, despite explicitly blocking certain routes at the P2S level, they are still being inherited from the S2S VPN.

Environment Details:

  • Virtual Network Gateway Name: TF-vNetGW
  • P2S VPN Address Space: Configured under Point-to-site configuration
  • S2S VPN Connection Name: TF-S2S
  • Local Network Gateway Name: TF-Office
  • BGP Status: Disabled
  • Route Management: Using Azure Route Tables (UDR)

Issue Observed:

  1. Routes 10.7.0.0/24 and 10.2.211.0/24 should be accessible via S2S VPN only but are unexpectedly being advertised to P2S VPN clients.
  2. Route Tables (UDR) have been configured to block these routes for P2S, but they still appear in the Get-NetRoute output on client machines.
  3. Additional routes to advertise under P2S VPN does NOT include these networks, yet they are still inherited.
  4. Resetting the Virtual Network Gateway and recreating Route Tables did not resolve the issue.

Steps Taken to Fix the Issue:

Created a Route Table (P2S-RouteTable) and assigned it to the P2S VPN subnet.
Set up blocking rules (NextHopType = None) for 10.7.0.0/24 and 10.2.211.0/24.
Ensured these networks are NOT listed in Additional routes to advertise under P2S configuration.
Reset Virtual Network Gateway (Reset-AzVirtualNetworkGateway).
Deleted and recreated Route Tables from scratch.

Expected Behavior:

  • S2S VPN should NOT push routes to P2S clients.
  • Blocked routes (10.7.0.0/24 and 10.2.211.0/24) should NOT appear in the P2S VPN route table.
  • P2S clients should only use manually configured routes.

Request for Assistance:

  • Is there a hidden dependency causing these routes to persist in the P2S VPN client route table?
  • Is there a way to force route isolation between P2S and S2S VPN in Azure, apart from UDR?
  • Could there be an Azure-side caching issue, and if so, how do we clear it?
  • Are there any recent changes in how Azure VPN processes routes that could affect this behavior?

Please advise on how to ensure route isolation between S2S and P2S VPN in a non-BGP setup.

Thank you.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,679 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ivan 0 Reputation points
    2025-03-12T17:14:35.2966667+00:00
    • Are these routes (10.7.0.0/24 and 10.2.211.0/24) belongs to on-prem networks or Azure VNETs. on-prem
    • Which type of P2S VPN are you using (azure certificates or EntraID authentication) Azure VPN Client? EntraID authentication
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.