P2S VPN - Connects but can't ping or access resources

Justin Williams 1 Reputation point
2021-05-24T19:45:06.567+00:00

I'm working on my own learning/test environment, and have configured the VPN gateway to the point where I can successfully connect to it from an Azure-joined and logged into workstation. However, I cannot ping or reach any resources across the VPN by IP. It's almost as if the Gateway doesn't recognize it's connected to the rest of the VNET/Subnets. I've tried to research this issue but there's nothing out there that says I need to tell the gateway what it can/can't route to within the VNET.

I currently have only two VNETs setup, one that was created for AADDS and one for everything else. That VNET has IP's set the following way:

Overall Address Space - 10.168.240.0/24

Production - 10.168.240.0/25
Development - 10.168.240/26
GatewaySubnet - 10.168.240.192/28

The production subnet has a storage account, with file shares setup. The storage account and file shares have permissions set on them so I'm allowed to access them. They also are set to allow all VNETs and all Subnets to connect as selected networks. The storage account does have ADDS enabled. haven't changed any settings other than those listed so far on storage. The storage account has a private endpoint of 10.168.240.6.

The gateway, in it's "Properties" section does list the subnet as GatewaySubnet (10.168.240.192/28). However it is not listed as having any IP in that subnet in the virtual network/subnet view. The Point-To-Site configuration is set to use 10.168.241/24 as the address pool for connected clients, and it does give out an address there.

As I mentioned, the only glaring thing I can see is that in my VNET overview, I see the storage account as having an IP in the Production subnet (10.168.240.6) but the gateway is listed as having no IP, but is correctly associated with GatewaySubnet (10.168.240.192/28).

In my on-prem networking experience, this whole scenario would point to the gateway not having an IP in the VNET as the problem, but I can't for the life of me figure out why. Either azure doesn't assign it one/doesn't need one (?) or something else needs to be done? Or, something completely unrelated to IP needs to be done to allow the gateway to pass traffic along to the other subnets?

I've used the network watcher topology report to see that yes, the gateway is noted as being tied in to the overall VNET along with the other subnets. In my tests the PC connected via P2S VPN can only ping the gateway's address inside the P2S pool, and NOTHING else. So I can ping 10.168.241.1 just fine. In the PC's configuration, it does list the Azure DNS starting with 168, but I can't ping that, nor can I ping the storage account's private endpoint on the production subnet.

Thoughts? I'm hoping I'm missing something silly.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,304 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,019 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. SaiKishor-MSFT 17,126 Reputation points
    2021-05-27T01:55:07.047+00:00

    @Justin Williams Thank you for reaching out to Microsoft Q&A.

    I understand that you are connected to the P2S VPN but are unable to reach any of the vnet IPs. You mentioned that the Gateway is listed as having no IP- The IP used for the vnet GW is usually not shown in the portal unless you are using a zone redundant VPN Gateway. If you are using Zone redundant Gateway, make sure to enable private IP for the same as given here in this document.

    Regarding the connectivity, can you confirm the following?

    • Are the NSGs on the subnet/VM that you are trying to reach allowing the P2S address pool range inbound i.e., 10.168.241/24?
    • Do you see a route listed for the 10.168.240.0/24 network in the clients route table?
    • What authorization do you use for the VPN and does it grant you access to the vnet?
    • Can you traceroute the traffic and provide an output for the same?

    You an also capture traffic passing through the vnet gw for more insights into the same. Here are more details for the same.

    Hope this helps. Looking forward to your update. Thank you!


  2. Carlos Robrto Domingues 1 Reputation point
    2022-09-29T19:40:29.167+00:00

    Did you set your VM to the same Vnet where's the Virtual Network Gateway is configured?


  3. Alejandro Sosa 1 Reputation point
    2022-10-17T15:02:38.957+00:00

    Have you checked the settings for the Network Security Group where your production VMs are?
    Go under the Settings section for one of your Production or Development VMs (or storage containers) and click on Networking.
    See if there are inbound rules allowing thraffic from the subnets (the GatewaySubnet in particular), before the DenyAllInBound rule at the end.

    0 comments No comments