Category Archives: NVGRE GW

WAP, NVGRE and Hair pinning

Hello All ,

Today we faces connectivity issue between tenant networks behind same NVGRE GW.

Think that you have two tenants , Company A and Company B and two virtual networks and also NAT rule configured for remote access 3389 (RDP) to Company A VM can connect Company B VM but problem is two virtual networks are behind the same NVGRE GW.

Problem is single interface and To and From is behind a single interface , means source vm network coming from NVGRE outside interface and want to get in same interface to access other vm network .

This image could explain , BRIDGE is describing NVGRE , squares are vm networks and VM s behind


Pls check related settings on NVGRE GW node , active or passive , i guess its not important


PS C:\Users\Administrator.DORUKCOSN> Get-NetNatGlobal
InterRoutingDomainHairpinningMode : External


Then set it Local

PS C:\Users\Administrator.DORUKCOSN> Set-NetNatGlobal -InterRoutingDomainHairpinningMode Local
PS C:\Users\Administrator.DORUKCOSN>

Then go go go , try it now

External comes default , be care about it


How SCVMM balance between NVGRE GWs

Today, we focused how SCVMM balance virtual networks(VN) and services between NVGRE GWs or Network Services(NS) with my team mate Gokhan Acar.

We have two NS configured in SCVMM

Screen Shot 2014-06-19 at 13.30.05

First what we faced, second or last added gateway (sorry no time to add 3th one) become first responsible unit to manage and provide NAT, VPN services to related VNs. We deployed “internetgwservice1” first and create some VN on it then deploy “internetgwservice2” and SCVMM start to create a new requests on it.

Then we try to understand how SCVMM really try to balance between two NS. Old one already have seven VN then we start to create additional VNs. its start to deploy every VN on newly added gw. I expect that after eight it will start to load balance but not !

To shorten the time, try to change the limit 50 to lower value to make easy test, but discover that its not possible to do 😦

Screen Shot 2014-06-19 at 13.41.50

You should be faced with such error below

Error (21426)

Execution of Microsoft.SystemCenter.NetworkService::RegisterGatewayVMNetwork on the configuration provider 4ee559f1-f479-480c-9458-d14b8b1c1779 failed. Detailed exception: Microsoft.VirtualManager.Utils.CarmineException: Unable to add routing domain information to the Remote Access server. (A Hardware Management error has occurred trying to contact server :n:CannotProcessFilter :HRESULT 0x8033801a:No instance found with given property values. .
WinRM: URL: [], Verb: [ENUMERATE], Resource: [*], Filter: [associators of {Msvm_EthernetPortAllocationSettingData.InstanceID=”Microsoft:A449D45C-53B9-4B0A-9E98-C0E3BFB9ECBD\\BB614953-7878-4C15-A915-A587B429D7B1\\C”}where AssocClass=Msvm_EthernetPortSettingDataComponent ResultClass=Msvm_EthernetSwitchPortRoutingDomainSettingData]
Check that WinRM is installed and running on server For more information use the command “winrm helpmsg hresult” and .)
Fix the issue in Remote Access server and retry the operation.
Recommended Action
Check the documentation for the configuration provider or contact the publisher support.
Then we back and try to create more VN with NAT services enabled
Until reach 50th VN everything created on last added NVGRE GW but when we try to create 51th VN we faced same error like above. We are very sure that some cache things happen because the next GW is not run on related host
I guess need to wait little but we try to restart SCVMM services 😀 and push to create 51th VN again , its worked ! 🙂
Continue creating 52,53,54 and its working
Looks like SCVMM do not make round robin based balance, first over the related NVGRE GW then switch to next ….


No-Look VPN Configuration with Azure Pack :D

Hello All

After very long search on Google find only the Azure VPN configuration but there is no example and good explanation about how you can do it with Azure Pack.
DorukNET is COSN provider and we are preparing to offer Azure Pack in Turkey and want to clarify VPN configuration with our Fortigate expert Salih 😛

Before start let me explain ISP point of view VPN properties ;

  • First you ask peer ip address
  • Second you ask phase 1 config properties like IKE version , encryption , key life time and key
  • Third you ask phase 2 config properties , encryption , key life time , network remote and local one which you will encrypt
  • Also talk about other things dead peer detection  (DPD)
  • Policy service consideration also important , mostly we do not allow any to any communication

When you login as a customer to WAP Service Management Portal, you couldn’t see every properties you need to establish VPN , mostly things are preconfigured and customer point of view there is no way to see it. Also its little hard to discover by administrator point of view but at the end we succeeded .

This article is about establish VPN between Fortinet and Microsoft NVGRE GW

Fortigate FW Version : 5.0.patch5
DorukNET WAP Customer Site Network
Provider-SiteAzure :
NVGRE GW Peer IP Address : xxx.yyy.zzz.50
Customer OnPremise Site Network
LocalSite-OnPremise: xxx.102.yyy.240/28
Customer Peer IP Address :Note that WAP site NVGRE GW Peer ip is not available before you create a new site-to-site setup

Lets create it
Login to WAP Service Management Portal and go to Networks and double click your already created network and click Create VPN

Screen Shot 2014-06-09 at 15.20.10
Set your remote site VPN Device ip address, here we set our Fortigate FW outsite ip address and pre-shared key
Screen Shot 2014-06-09 at 15.23.49a
As a address space you have to set remote site ip address block which you would like to communicate encrypted
Important note, WAP GUI do not allow enter single ip address as a remote
Screen Shot 2014-06-09 at 15.41.14
Next two screen WAP allow you to set limitation about VPN configuration if you needed please enter , we did not test its working or not :)Then action time , WAP send the request to VMM to create VPN configuration on NVGRE GW

Screen Shot 2014-06-09 at 15.26.39 


Screen Shot 2014-06-09 at 15.27.38
Check VMM site if you are provider to confirm

Screen Shot 2014-06-09 at 15.27.49
Now you will start to understand why we described article subject as a No-Look !
Now customer can not see anything more than VPN configuration is Enabled  !  No any knowledge about Phase 1 , Phase 2 configuration . Here what provider need to do, well document everything and somehow if provider have some boundaries need to automate the configuration
For example after VPN configuration enabled we can see such properties for VPN

You can see that Microsoft configure each pre-shared key as an Run-As-Account

From WAP GUI there is no way to set certificate as a auth method , actually i do not need it , no need to push Microsoft here 😀

Screen Shot 2014-06-09 at 15.29.22
Routes section is easy, its remote network
Click the Advanced section , you will see the configuration of VPN but you have to understand which one is Phase1 and Phase 2 , very good , lovely
Screen Shot 2014-06-09 at 15.29.52
We find a pptx file after almost 50-100 search on Google , i know you thing maybe i m searching wrong key words , i m accepting 😀
This slide actually do not equal defaults but it help us a lot but funny thing you can see that there is no timeout for key life values for Phase 2 also we discover the Phase 1 key life from this slide too also you can find it from powershell “Get-VpnS2SInterface” command

Screen Shot 2014-06-09 at 17.43.48

We used related configuration for us

Screen Shot 2014-06-09 at 15.30.34

Easy part , go to Forti , which traditionally we know everything how to configure 😀

Screen Shot 2014-06-09 at 15.14.38
Phase 2
Screen Shot 2014-06-09 at 15.22.58
Rule for Forti
Screen Shot 2014-06-09 at 15.45.50
Monitor VPN Connectivity

Screen Shot 2014-06-09 at 15.33.10

Ping it or Remote it
Screen Shot 2014-06-09 at 15.59.57
Hope this article help for everyone