Gateway Subnet is blocking traffic
Need help from the whole community:
communication from VM PROD to Site A is without issue and vice versa. From from VM PROD to Site B is also without issue, but the communication from Site B is blocked at the PROD gateway. Traffic is blocked at the 10.0.10.1!
Azure VPN Gateway
-
GitaraniSharma-MSFT 49,601 Reputation points • Microsoft Employee
2021-12-22T10:49:28.387+00:00 Hello @Valentino Adam ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
From your diagram, I understand that the site to site VPN between Azure and the on-prem sites is via some NVA and not Azure VPN gateway, is that correct?
Although you have mentioned that there is a peering between PROD-Vnet and IPSec-B-Vnet, it is not visible in the diagram. In the diagram, the peerings are only showing between PROD-Vnet<--->IPSec-A-Vnet and IPSec-A-Vnet<--->IPSec-B-Vnet. Could you please confirm this?
If a peering is available between PROD-Vnet<--->IPSec-B-Vnet, could you check if allow forwarded traffic is enabled in the peering of the IPSec-B-Vnet?
Regards,
Gita -
Valentino Adam 1 Reputation point
2021-12-22T11:11:13.757+00:00 Sorry, i have corrected the diagram.
Appliance that i'm using is OPNSense and is available on Azure market:
https://azuremarketplace.microsoft.com/en-en/marketplace/apps/decisosalesbv.opnsense?tab=OverviewForwarding traffic is available in the peering between PROD-vnet and IPSec-B-Vnet:
-
GitaraniSharma-MSFT 49,601 Reputation points • Microsoft Employee
2021-12-22T11:36:43.573+00:00 Hello @Valentino Adam ,
Thank you for the update.
Is there any NSG on the VM PROD Network Interface or PROD-subnet denying inbound traffic from Site B?
Regards,
Gita -
Valentino Adam 1 Reputation point
2021-12-22T11:43:24.817+00:00 There is NSG, but is configured exactly as for Site A, basically Site B is a clone from Site A.
-
GitaraniSharma-MSFT 49,601 Reputation points • Microsoft Employee
2021-12-22T14:05:39.917+00:00 @Valentino Adam , are you able to access Prod-Vnet VM from IPSec-B-Vnet VM?
When you say "Traffic is blocked at the 10.0.10.1", how are you validating that? By traceroute? -
Valentino Adam 1 Reputation point
2021-12-22T16:15:03.707+00:00 Yes, from Site-B traceroute stops at 10.0.10.1.
-
GitaraniSharma-MSFT 49,601 Reputation points • Microsoft Employee
2021-12-23T11:00:17.09+00:00 @Valentino Adam , request you to provide the below details:
1) Are you able to access Prod-Vnet VM from IPSec-B-Vnet VM?
2) Could you run a continuous ping or psping from Site B to VM PROD and take packet captures on the NVA (both the interfaces - untrusted & trusted) and the PROD VM to check if the traffic is coming through? -
Valentino Adam 1 Reputation point
2021-12-23T11:46:08.86+00:00 - From IPSec-B-Vnet VM i can ping, ssh, curl applications and everything, no issue here
- From Site B to PROD VM psping is
Request timed out
. Package capture info isEcho (ping) request id=0x0001, seq=14/3584, ttl=253 (no response found!)
. Telnet from PROD VM to Site-B VM on port 3389, i got info with netstat -n:tcp 0 1 10.0.10.4:42140 10.40.0.4:3389 SYN_SENT
and no ESTABLISHED connection.
Tracert from Site-B VM to PROD-VM with 5 hops:
Tracing route to 10.0.10.4 over a maximum of 5 hops 1 <1 ms <1 ms <1 ms fw01 [10.40.0.1]
2 235 ms 240 ms 235 ms [10.0.91.4]
3 221 ms 233 ms 221 ms [10.0.10.1]
4 * * * Request timed out.
5 * * * Request timed out.
How can i do a diagnostic on Vnet? a did on network card but there is no useful information.
-
Mohammed Yunus Ulla 1 Reputation point • Microsoft Employee
2021-12-23T12:30:37.717+00:00 - Just not to miss basic things, when you say site B is clone of site A, did you had a chance to add site B address prefix in NSG on VM Prod?
- will IPSec server B just forward the traffic or will it translate(NAT/proxy) with its IP to VM Prod? if it translates then have you added IPSec server B address prefix in NSG?
- did you had a chance to remove NSG and test, just to rule out its not NSG?
- Package capture info is Echo (ping) request id=0x0001, seq=14/3584, ttl=253 (no response found!). -->if this is collected on IPSec B server correct then were you able to see any incoming traffic on VM prod in packet captures from site B?
- were you able to ping/telnet/RDP from IPSec server B untrust interface to prod VM?
-
GitaraniSharma-MSFT 49,601 Reputation points • Microsoft Employee
2021-12-28T15:43:29.977+00:00 @Valentino Adam , were you able to check the points suggested by @Mohammed Yunus Ulla ? Do you have any further updates on this issue?
-
GitaraniSharma-MSFT 49,601 Reputation points • Microsoft Employee
2022-01-03T03:06:09.09+00:00 @Valentino Adam , do you have any further updates on this issue?
-
GitaraniSharma-MSFT 49,601 Reputation points • Microsoft Employee
2022-01-06T11:14:13.777+00:00 Hello @Valentino Adam ,
Could you please provide an update on this post?
Kindly let us know if you need further assistance on this issue.
Regards,
Gita
Sign in to comment