NLB Blocking pings from Azure VLAN presented via Azure VPN GW.

Devyn H 1 Reputation point
2020-12-21T14:41:54.763+00:00

Assume there are on-prem and Azure VLAN's paired up, via Azure VPN GW. NLB is configured to run in unicast. All on-prem and Azure VLAN's are added to the NLB configuration.

There are two network interfaces on the Windows Server machine, one for NLB traffic, the other, the default NIC, for the host.

What works, what doesn't:

  • Ping from the Azure VM to the NLB VIP, returns nothing. No echo reply.
  • Ping from a host running NLB to an Azure VM via this setup works.
  • Ping to the NLB's host IP (Not the NLB VIP) from the Azure VM works fine.
  • Pinging the NLB VIP from on-prem VLAN's works fine.
  • Pinging other machines on the on-prem VLAN's from the Azure VM works fine.
  • tcpdump on the Windows Server machine running NLB shows an ICMP ping request arriving at this machine on the NLB interface from the Azure VM, but nothing is returned. No traffic related to the ping appears on the host NIC.
  • Tried disabling the F/W. No luck, same result.
  • Read through posts about proxy ARP, doesn't appear this is the cause since pinging other on-prem devices from the Azure VM works and NLB is configured with unicast, not multicast.
  • Adding the MAC on the NLB host using arp -s <IP> <00-11-22-33-44-55> did not work.

What could be the issue? Could it be something with ESP packets and NLB?

Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
509 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Candy Luo 12,656 Reputation points Microsoft Vendor
    2020-12-22T02:50:51.723+00:00

    Hi ,

    Based on your situation, we need to tracing and monitoring logs to analyze the cause. However, analysis of network traffic is beyond our forum support level and due to forum security policy, we have no such channel to collect user log information. So we recommend you open a case with MS Professional tech support service, they will help you open a phone or email case to Microsoft, so that you would get a technical support on a one-to-one basis while ensuring private information.

    Here is the link:

    https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

    Best Regards,

    Candy

    0 comments No comments