Vpn Gateway drops ports

Marco Mancini 60 Reputation points
2023-10-18T16:57:45.7566667+00:00

hope this message finds you well. We currently have a VPN connection established between our on-premises Palo Alto firewall and the Azure VPN Gateway. However, we've encountered an issue where certain traffic appears to be dropped by the VPN gateway.

Specifically, when attempting to reach our on-premises destination on port TCP 3660 from VMA in Azure, the traffic not only fails but also does not appear in the on-premises firewall logs, suggesting that it may be blocked at an earlier stage in the connection path. The flow of traffic is as follows: VMA -> Palo Alto in Azure -> VPN gateway -> On-premises Palo Alto (serving as the VPN local gateway and firewall) -> destination Virtual Machine (VMB).

We have successfully established connectivity between VMA and VMB as evidenced by successful pings and traceroute tests. Additionally, connections towards ports 8080 and 443 are reaching the on-premises firewall successfully. However, we are encountering issues with port 3660, is not even reaching on prem firewall (no logs, no packets)

Our network security group (NSG) and firewall rules have been configured to allow the relevant traffic, and we have attempted to resolve the issue by resetting the connection and the VPN Gateway, unfortunately without success. It's important to note that no traffic selectors are set up on both sides.

Any assistance or guidance you can provide to help resolve this issue would be highly appreciated.

Thank you for your attention and support.

Best regards,

Marco

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,805 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 49,621 Reputation points Microsoft Employee Moderator
    2023-10-20T06:17:28.3866667+00:00

    @Marco Mancini

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you are experiencing packet drop/connectivity issue while accessing on-premises destination TCP port 3660 from a VM in Azure.

    Looking at your verbatim, It looks like you are facing a firewall issue and not a packet drop issue.

    The network path is:

    VM A -> Palo Alto in Azure (NVA) -> VPN gateway -> On-premises Palo Alto -> VM B (OnPrem server)

    To troubleshoot this, I suggested,

    • To collect packet captures at every hop above and check if the packet was received in the hop or not.

    Also, validate :

    • Is the NVA in Azure logging the traffic for destination port 3660.
      • Is it visible in NVA and is the NVA allowing the traffic??
    • Can you bypass the NVA and give it a try?
    • To check NSG , you can either use IP flow verify or NSG diagnostics
      • This will "simulate" traffic and will point out if a NSG rule blocks/allows a packet

    Meanwhile, you informed us the issue is not reproducible without the NVA in picture, and you have contacted the NVA vendor.

    Hope you isolate the issue and resolve it.

    Thanks,

    Kapil


    Please Accept an answer if correct.

    Original posters help the community find answers faster by identifying the correct answer.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.