Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,147 questions
Site 2 site between azure and local FortiGate device
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 4%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Abdel Aziz Khaled Mahmoud
20
Reputation points
Hello my dears,
I tried to create a site 2 site between Azure and the on-prem site by using a local Fortigate device.
I did the Azure side and Fortigate side and connected, I can ping from Az VM to the local gateway on-prem(192.168.1.9). the status on FortiGate UP.
I need everyone on the on-prem site can connect to the VM.
All users can't ping or connect RDP on Az VM
{count} votes
-
KapilAnanth-MSFT 23,406 Reputation points Microsoft Employee2023-08-29T13:26:58.4966667+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you have configured a S2S Connection between Azure VPN Gateway and your OnPrem VPN Device.
Users from Azure VMs can access Azure resources.
However, users from OnPrem devices are not able to ping/reach Azure VMs.
- Are you able to ping from Azure VM to any of the OnPrem servers?
- Please check TCP Connections as well, not only ping
- Open Powershell from a server and run
tnc <AzureVMPrivateIP> -p 3389
- Open Powershell from a server and run
- Azure VMs, by default, have ICMP ping blocked at the OS level.
- To enable ICMP, open CMD as admin and run
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
- To enable ICMP, open CMD as admin and run
- Check the NSG of the Azure VM to which you want to have access
- Check IP Flow verify for inbound direction and outbound direction
- Refer : https://learn.microsoft.com/en-us/azure/network-watcher/diagnose-vm-network-traffic-filtering-problem
-
- Local Port : 3389
- Remote IP : IP of the OnPrem server
- Local Port : 3389
-
- Refer : https://learn.microsoft.com/en-us/azure/network-watcher/diagnose-vm-network-traffic-filtering-problem
- Please check the NIC Effective Routes and see if the OnPrem address range is learned or not?
-
The OnPrem routes should be visible here
-
Cheers,
Kapil
-
KapilAnanth-MSFT 23,406 Reputation points Microsoft Employee
2023-08-31T09:22:19.8333333+00:00 Could you please provide an update on this post?
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil
-
KapilAnanth-MSFT 23,406 Reputation points Microsoft Employee
2023-09-01T06:54:49.31+00:00 May I know if you got a chance to review my previous comment?
Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.
Thanks,
Kapil
-
Abdel Aziz Khaled Mahmoud 20 Reputation points
2023-09-01T07:07:23.2933333+00:00 Hello my dear,
regarding connectivity its up on firewall and connected in Azure VPN.
I can only ping from any VMs on azure to only gateway local on-prem and i can't ping on any devices in on-prem site, only gateway site reply (192.168.1.9).
I can't ping from on-prem to Azure VM or gateway or anything on azure.
Thanks in advance,
-
KapilAnanth-MSFT 23,406 Reputation points Microsoft Employee
2023-09-01T07:17:40.27+00:00 It is possible that your Gateway/VPN Device is not able to route to other OnPrem devices.
I would highly recommend if you can,
- Check IP Flow verify for inbound direction and outbound direction
- Refer : https://learn.microsoft.com/en-us/azure/network-watcher/diagnose-vm-network-traffic-filtering-problem
-
- Local Port : 3389
- Remote IP : IP of the OnPrem server
- Please check the NIC Effective Routes and see if the OnPrem address range is learned or not?
-
The OnPrem routes should be visible here
Cheers,
Kapil
-
msrini-MSFT 8,261 Reputation points Microsoft Employee2023-09-02T04:51:43.82+00:00 Hi,
When an IPSec tunnel builds up, you will need to define your local address and remote address in your Fortigate device. From Azure standpoint, you can check the effective routes of the VM to figure out what routes are actually learnt from On-Premises. based on that information, you can figure out if your intentional routes are being advertised by Fortigate device or not. If not, you will need to work with your Fortigate team to advertise that route to Azure VPN gateway.
Regards,
Karthik Srinivas
-
KapilAnanth-MSFT 23,406 Reputation points Microsoft Employee
2023-09-05T06:28:09.5966667+00:00 Could you please provide an update on this post?
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil
-
KapilAnanth-MSFT 23,406 Reputation points Microsoft Employee
2023-09-06T09:05:56.46+00:00 May I know if you got a chance to review my previous comment?
Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.
Thanks,
Kapil
-
Abdel Aziz Khaled Mahmoud 20 Reputation points
2023-09-21T07:12:17.85+00:00 Dears,
Could you involve the link that shows the steps on Fortigate?
thank you
-
KapilAnanth-MSFT 23,406 Reputation points Microsoft Employee
2023-09-26T06:06:07.2833333+00:00 I am afraid the community members of Microsoft Q&A forum may not be aware of the configuration steps in a 3rd party device.
I would suggest you to reach out to your 3rd party vendor to assist you with the configuration from their end.
Cheers,
Kapil
Sign in to comment