Cannot ping Azure VMs from behind a router connected with a Site to Site IPSec tunnel.

reirem 1 Reputation point
2022-01-12T21:58:00.53+00:00

Hello there,
I have a Sophos XG firewall (running version 18) connected to Azure with a Site to Site IPSec tunnel. The LAN behind the router is 192.168.0.0/24 and the Virtual Network in Azure is 10.0.0.0/16. I have two subnets created inside the VNet: 10.0.0.0/24 and 10.0.100.0/23. I have one VM in each subnet. I have enabled pinging through both VMs firewalls and also allowed it in the Network Security Groups for both subnets where the VMs reside. Azure VMs can ping each other without problem and also both can ping a server in my LAN (behind the Sophos router). However, I cannot ping the Azure VMs from behind the Sophos firewall, through the Site to Site IPSec VPN. If I use the public IPs for both Azure VMs, I can ping them without problem (temporarily allowed).
I have done a packet tracing in the Sophos XG firewall and a tcpdump and I see the packets going out the router when trying to ping the VMs in Azure from the LAN side. What I am missing is the return.
I have given it all I have and cannot still figure this out. Any help is GREATLY appreciated.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,509 questions
{count} votes

1 answer

Sort by: Most helpful
  1. SaiKishor-MSFT 17,231 Reputation points
    2022-01-27T00:06:29.183+00:00

    @reirem You can diagnose connectivity from on-premises to Azure S2S VPN Tunnel issues using Azure Network Watcher. Here is how to do the same- Troubleshooting using Azure Network Watcher.

    You can use Azure Monitor to monitor the VPN metrics to understand where the issue lies. You can check metrics such as Tunnel ingress bytes/egress bytes to understand the traffic flow.
    You can further configure packet capture for the VPN Gateway as shown in this document to capture this traffic for analysis.

    Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.