Azure Wan VPN Azure Firewall Routing Issue

I have a secured WAN with firewall and routing intent configured (internet and private ) traffic going through firewall.

After creating a VPN site and connection to the HUB, i can confirm that the tunnel is UP and i see the on-premise's subnets propagated to the firewall's route table.

Firewall logs show the traffic from Vnet to On-premise being allowed but ping and traceroute fails.

Packet capture from VPN Gateway doesn´t show VNET -> OnPremise traffic, only packets coming from OnPremise -> VNET.

Diego Fernandes Spinola Castro 0 Reputation points

2023-08-31T01:53:25.53+00:00

Here is the topology, the issue is between any vnet connected to the hub to rodcikev2 .

Routing Intent:

Effective Routes:
KapilAnanth-MSFT 35,416 Reputation points Microsoft Employee

2023-08-31T08:50:38.28+00:00
@Diego Fernandes Spinola Castro

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are configuring a new S2S Connection between Azure vHUB and an Onprem site.

I see that you are using a secured hub with Routing intent configured for private ranges.

Since this is a new set up, there could be a lot of reasons as to why traffic is not flowing.

Wrt, "Firewall logs show the traffic from Vnet to On-premise being allowed but ping and traceroute fails."

Can you try using TCP pings ?

Open Powershell as admin and run tnc <REMOTEIP> -p 3389

Or make sure ICMP pings are allowed in Onprem machines OS, OnPrem Firewall, Azure NSGs and in Azure VM's OS?

Check the effective routes of an Azure VM , and see if the next Hop is pointing to the vHUB/Firewall

For Testing purpose,

Can you remove routing intent for Private traffic and bypass the Azure firewall and see if that works?

Are you stating that OnPrem --------> Azure works?

Or both the directions fail?

Can you collect packet captures at the OnPrem and Azure VM while,

Initiate traffic from Azure VM to OnPrem Server and see if the packets reach the OnPrem server?

And

Initiate traffic from OnPrem Server to Azure VM and see if the packets reach the Azure server?

Cheers,

Kapil
KapilAnanth-MSFT 35,416 Reputation points Microsoft Employee

2023-09-01T06:35:21.36+00:00

@Diego Fernandes Spinola Castro

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Thanks,

Kapil
Diego Fernandes Spinola Castro 0 Reputation points

2023-09-01T21:13:59.8566667+00:00

Hello, thank you for the answer.

I did resolve my issue setting the remote network CIDR properly.

Thank you
KapilAnanth-MSFT 35,416 Reputation points Microsoft Employee

2023-09-06T09:05:24.1766667+00:00

@Diego Fernandes Spinola Castro

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
KapilAnanth-MSFT 35,416 Reputation points Microsoft Employee

2023-09-07T13:32:20.31+00:00

@Diego Fernandes Spinola Castro

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil

1 answer

KapilAnanth-MSFT 35,416 Reputation points Microsoft Employee

2023-09-05T06:13:56.8366667+00:00

@Diego Fernandes Spinola Castro

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are configuring a new S2S Connection between Azure vHUB and an Onprem site.

I see that you are using a secured hub with Routing intent configured for private ranges.

You informed that us that the Remote Network CIDR was misconfigured and fixing this resolved the issue.

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your resolution.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment