Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
Gateway Subnet is blocking traffic
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 43%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVA%3C/text%3E%3C/svg%3E)
Valentino Adam
1
Reputation point
Need help from the whole community:
communication from VM PROD to Site A is without issue and vice versa. From from VM PROD to Site B is also without issue, but the communication from Site B is blocked at the PROD gateway. Traffic is blocked at the 10.0.10.1!
Azure VPN Gateway
{count} votes
-
GitaraniSharma-MSFT 50,186 Reputation points Microsoft Employee Moderator2021-12-22T10:49:28.387+00:00 Hello @Valentino Adam ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
From your diagram, I understand that the site to site VPN between Azure and the on-prem sites is via some NVA and not Azure VPN gateway, is that correct?
Although you have mentioned that there is a peering between PROD-Vnet and IPSec-B-Vnet, it is not visible in the diagram. In the diagram, the peerings are only showing between PROD-Vnet<--->IPSec-A-Vnet and IPSec-A-Vnet<--->IPSec-B-Vnet. Could you please confirm this?
If a peering is available between PROD-Vnet<--->IPSec-B-Vnet, could you check if allow forwarded traffic is enabled in the peering of the IPSec-B-Vnet?
Regards,
Gita -
Valentino Adam 1 Reputation point
2021-12-22T11:11:13.757+00:00 Sorry, i have corrected the diagram.
Appliance that i'm using is OPNSense and is available on Azure market:
https://azuremarketplace.microsoft.com/en-en/marketplace/apps/decisosalesbv.opnsense?tab=OverviewForwarding traffic is available in the peering between PROD-vnet and IPSec-B-Vnet:
-
GitaraniSharma-MSFT 50,186 Reputation points Microsoft Employee Moderator
2021-12-22T11:36:43.573+00:00 Hello @Valentino Adam ,
Thank you for the update.
Is there any NSG on the VM PROD Network Interface or PROD-subnet denying inbound traffic from Site B?
Regards,
Gita -
Valentino Adam 1 Reputation point
2021-12-22T11:43:24.817+00:00 There is NSG, but is configured exactly as for Site A, basically Site B is a clone from Site A.
-
GitaraniSharma-MSFT 50,186 Reputation points Microsoft Employee Moderator
2021-12-22T14:05:39.917+00:00 @Valentino Adam , are you able to access Prod-Vnet VM from IPSec-B-Vnet VM?
When you say "Traffic is blocked at the 10.0.10.1", how are you validating that? By traceroute? -
Valentino Adam 1 Reputation point
2021-12-22T16:15:03.707+00:00 Yes, from Site-B traceroute stops at 10.0.10.1.
-
GitaraniSharma-MSFT 50,186 Reputation points Microsoft Employee Moderator
2021-12-23T11:00:17.09+00:00 @Valentino Adam , request you to provide the below details:
1) Are you able to access Prod-Vnet VM from IPSec-B-Vnet VM?
2) Could you run a continuous ping or psping from Site B to VM PROD and take packet captures on the NVA (both the interfaces - untrusted & trusted) and the PROD VM to check if the traffic is coming through? -
Valentino Adam 1 Reputation point
2021-12-23T11:46:08.86+00:00 - From IPSec-B-Vnet VM i can ping, ssh, curl applications and everything, no issue here
- From Site B to PROD VM psping is
Request timed out. Package capture info isEcho (ping) request id=0x0001, seq=14/3584, ttl=253 (no response found!). Telnet from PROD VM to Site-B VM on port 3389, i got info with netstat -n:tcp 0 1 10.0.10.4:42140 10.40.0.4:3389 SYN_SENTand no ESTABLISHED connection.
Tracert from Site-B VM to PROD-VM with 5 hops:
Tracing route to 10.0.10.4 over a maximum of 5 hops 1 <1 ms <1 ms <1 ms fw01 [10.40.0.1]
2 235 ms 240 ms 235 ms [10.0.91.4]
3 221 ms 233 ms 221 ms [10.0.10.1]
4 * * * Request timed out.
5 * * * Request timed out.
How can i do a diagnostic on Vnet? a did on network card but there is no useful information.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 63%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMY%3C/text%3E%3C/svg%3E)
Mohammed Yunus Ulla 1 Reputation point Microsoft Employee Moderator2021-12-23T12:30:37.717+00:00 - Just not to miss basic things, when you say site B is clone of site A, did you had a chance to add site B address prefix in NSG on VM Prod?
- will IPSec server B just forward the traffic or will it translate(NAT/proxy) with its IP to VM Prod? if it translates then have you added IPSec server B address prefix in NSG?
- did you had a chance to remove NSG and test, just to rule out its not NSG?
- Package capture info is Echo (ping) request id=0x0001, seq=14/3584, ttl=253 (no response found!). -->if this is collected on IPSec B server correct then were you able to see any incoming traffic on VM prod in packet captures from site B?
- were you able to ping/telnet/RDP from IPSec server B untrust interface to prod VM?
-
GitaraniSharma-MSFT 50,186 Reputation points Microsoft Employee Moderator
2021-12-28T15:43:29.977+00:00 @Valentino Adam , were you able to check the points suggested by @Mohammed Yunus Ulla ? Do you have any further updates on this issue?
-
GitaraniSharma-MSFT 50,186 Reputation points Microsoft Employee Moderator
2022-01-03T03:06:09.09+00:00 @Valentino Adam , do you have any further updates on this issue?
-
GitaraniSharma-MSFT 50,186 Reputation points Microsoft Employee Moderator
2022-01-06T11:14:13.777+00:00 Hello @Valentino Adam ,
Could you please provide an update on this post?
Kindly let us know if you need further assistance on this issue.
Regards,
Gita
Sign in to comment
Sign in to answer