Azure VPN Ping doesn't reach

Question

Azure VPN Ping doesn't reach

tuioku 11

I have created an azure vpn gateway and my mac and ubuntu 18.04 have a p2s connection.
However, both machines do not receive packat when pinging each other.
How can I get them to arrive?

Do I need to configure root forwarding?

■ azure vnet subnet

FrontEnd
10.1.0.0/24
GatewaySubnet
- 10.1.255.0/27
address space
- 10.0.0.0/16
- 10.1.0.0/16

■ azure vnet gateway

address pool
172.16.201.0/24
tunnel type
- openVPN

■ mac

wifi ssid
A
private ip address network interface
- eth0
  - 10.2.59.83
- utun3（vpn）
  - inet 172.16.201.4 --> 172.16.201.4
netstat -rn
172.16/24 utun3 USc utun3
172.16.201/24 link#17 UCS utun3
172.16.201.4 172.16.201.4 UH utun3
192.168.0/23 utun3 USc utun3

■ ubuntu 18.04

wifi ssid
B
private ip address network interface
- wlan0
  - 192.168.100.208
- tun0（vpn）
  - 172.16.201.3/24
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 20600 0 0 wlan0
default _gateway 0.0.0.0 UG 32766 0 0 l4tbr0
10.0.0.0 _gateway 255.255.0.0 UG 50 0 0 tun0
10.1.0.0 _gateway 255.255.0.0 UG 50 0 0 tun0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 l4tbr0
172.16.201.0 0.0.0.0 255.255.0.0 U 50 0 0 tun0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 l4tbr0
192.168.100.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0

KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2022-08-29T04:32:40.503+00:00
Hi @tuioku ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to ping from one P2S Client machine to another via VPN Gateway as transit.

Please correct me if my understanding is wrong.

Before checking Client-----Client connectivity, I would request you to make sure each client is able to ping a machine in Azure.

Make sure there are no firewall blockers for ICMP ping

You can try to do a telnet/TCP Ping for scenarios where ICMP may be blocked

Please let us know if you are able to reach VMs in Azure from each remote P2S client or not?
This shall help us isolate the problem.

Thanks,
Kapil
tuioku 11 Reputation points

2022-08-29T07:47:10.377+00:00

Thank you very much.

I was able to confirm the connection with the azure gateway ip address. mac pc is connected to the router.
so mac has a private ip address (192.168.100.240) .

for sending ping to mac has 192.168.100.240 from azure vm on azure, what should I do ?
tuioku 11 Reputation points

2022-08-29T07:52:19.43+00:00

Also, I get an error from vm when I use wget to get the file from mac.
What can I do to resolve this?

■ mac
wget http://10.1.0.4:8080/test1.txt
--2022-08-29 16:50:12-- (試行: 2) http://10.1.0.4:8080/test1.txt
10. 1.0.4:8080 に接続しています... 失敗しました: Connection refused.

■ azure vm
azureuser@vpn-test:~/workspace/tmp$ http-server -p 8080 .
Starting up http-server, serving .

http-server version: 14.1.1

Available on:
http://127.0.0.1:8080
http://10.1.0.4:8080
Hit CTRL-C to stop the server

[Mon Aug 29 2022 07:50:11 GMT+0000 (Coordinated Universal Time)] "GET /test1.txt" "Wget/1.21.3"
_http_outgoing.js:470
throw new ERR_HTTP_HEADERS_SENT('set');
^

Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client
at ServerResponse.setHeader (_http_outgoing.js:470:11)
at module.exports.ResponseStream.(anonymous function) [as setHeader] (/usr/local/lib/node_modules/http-server/node_modules/union/lib/response-stream.js:100:34)
at Object.exports.(anonymous function) (/usr/local/lib/node_modules/http-server/lib/core/status-handlers.js:57:7)
at Readable.stream.on (/usr/local/lib/node_modules/http-server/lib/core/index.js:339:22)
at Readable.emit (events.js:198:13)
at emitErrorNT (internal/streams/destroy.js:91:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:59:3)
at process._tickCallback (internal/process/next_tick.js:63:19)
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2022-08-30T05:13:05.677+00:00

Hi @tuioku ,

You can just do a normal ICMP Ping from a VM in Azure to the MAC Client.

Or use TCPPing to connect to a particular Port.

Using Powershell, you can use the below command to ping a particular port
Test-NetConnection -ComputerName <IP of MAC from P2S VPN Pool> -InformationLevel "Detailed" -Port <Open Port in MAC>

Or from the MAC device,
You can SSH to Azure VM in Port 3389.

First, we shall try to isolate the connectivity issue between a VM in Azure and the VPN Mac Client.

Thanks,
Kapil
tuioku 11 Reputation points

2022-08-30T09:10:20.137+00:00

Thank you for your reply.

What I want to do is to communicate from a VM in a vnet via http protocol from a mac.

I want the VMs in the vnet to act as if they are on the same router.

Do I need to connect the VM on vnet instance to openVPN as well?
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2022-08-30T09:36:06.763+00:00
Hi @tuioku ,

You do not have to connect VM on Vnet to OpenVPN.

The machines will act as if the machines are in the same Network.
i.e, Routing and NSG at platform level, should allow communication by default configuration.

I understand your end Goal is to use HTTP to communicate with the Azure VM.

However, as a first step, we have to make sure they are reachable via PING/TCP

Post this, we can troubleshoot for HTTP

Can you please let me know if ICMP Ping between the servers are working or not?

Also, what about TCP? Did you get a chance to run this Powershell TCP test?
Test-NetConnection -ComputerName <IP of MAC from P2S VPN Pool> -InformationLevel "Detailed" -Port <Open Port in MAC>

Cheers,
Kapil

1 answer

Your answer

KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2022-08-29T04:32:40.503+00:00

Hi @tuioku ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to ping from one P2S Client machine to another via VPN Gateway as transit.

Please correct me if my understanding is wrong.

Before checking Client-----Client connectivity, I would request you to make sure each client is able to ping a machine in Azure.

Make sure there are no firewall blockers for ICMP ping

You can try to do a telnet/TCP Ping for scenarios where ICMP may be blocked

Please let us know if you are able to reach VMs in Azure from each remote P2S client or not?
This shall help us isolate the problem.

Thanks,
Kapil
tuioku 11 Reputation points

2022-08-29T07:47:10.377+00:00

Thank you very much.

I was able to confirm the connection with the azure gateway ip address. mac pc is connected to the router.
so mac has a private ip address (192.168.100.240) .

for sending ping to mac has 192.168.100.240 from azure vm on azure, what should I do ?
tuioku 11 Reputation points

2022-08-29T07:52:19.43+00:00

Also, I get an error from vm when I use wget to get the file from mac.
What can I do to resolve this?

■ mac
wget http://10.1.0.4:8080/test1.txt
--2022-08-29 16:50:12-- (試行: 2) http://10.1.0.4:8080/test1.txt
10. 1.0.4:8080 に接続しています... 失敗しました: Connection refused.

■ azure vm
azureuser@vpn-test:~/workspace/tmp$ http-server -p 8080 .
Starting up http-server, serving .

http-server version: 14.1.1

Available on:
http://127.0.0.1:8080
http://10.1.0.4:8080
Hit CTRL-C to stop the server

[Mon Aug 29 2022 07:50:11 GMT+0000 (Coordinated Universal Time)] "GET /test1.txt" "Wget/1.21.3"
_http_outgoing.js:470
throw new ERR_HTTP_HEADERS_SENT('set');
^

Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client
at ServerResponse.setHeader (_http_outgoing.js:470:11)
at module.exports.ResponseStream.(anonymous function) [as setHeader] (/usr/local/lib/node_modules/http-server/node_modules/union/lib/response-stream.js:100:34)
at Object.exports.(anonymous function) (/usr/local/lib/node_modules/http-server/lib/core/status-handlers.js:57:7)
at Readable.stream.on (/usr/local/lib/node_modules/http-server/lib/core/index.js:339:22)
at Readable.emit (events.js:198:13)
at emitErrorNT (internal/streams/destroy.js:91:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:59:3)
at process._tickCallback (internal/process/next_tick.js:63:19)
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2022-08-30T05:13:05.677+00:00

Hi @tuioku ,

You can just do a normal ICMP Ping from a VM in Azure to the MAC Client.

Or use TCPPing to connect to a particular Port.

Using Powershell, you can use the below command to ping a particular port
Test-NetConnection -ComputerName <IP of MAC from P2S VPN Pool> -InformationLevel "Detailed" -Port <Open Port in MAC>

Or from the MAC device,
You can SSH to Azure VM in Port 3389.

First, we shall try to isolate the connectivity issue between a VM in Azure and the VPN Mac Client.

Thanks,
Kapil
tuioku 11 Reputation points

2022-08-30T09:10:20.137+00:00

Thank you for your reply.

What I want to do is to communicate from a VM in a vnet via http protocol from a mac.

I want the VMs in the vnet to act as if they are on the same router.

Do I need to connect the VM on vnet instance to openVPN as well?
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2022-08-30T09:36:06.763+00:00

Hi @tuioku ,

You do not have to connect VM on Vnet to OpenVPN.

The machines will act as if the machines are in the same Network.
i.e, Routing and NSG at platform level, should allow communication by default configuration.

I understand your end Goal is to use HTTP to communicate with the Azure VM.

However, as a first step, we have to make sure they are reachable via PING/TCP

Post this, we can troubleshoot for HTTP

Can you please let me know if ICMP Ping between the servers are working or not?

Also, what about TCP? Did you get a chance to run this Powershell TCP test?
Test-NetConnection -ComputerName <IP of MAC from P2S VPN Pool> -InformationLevel "Detailed" -Port <Open Port in MAC>

Cheers,
Kapil

Answer 1

Jackson Martins 10,606 MVP Volunteer Moderator

Hi @tuioku

I think the same issue is being addressed in this thread.

Are trying to ping 172.16.201.3 <-> 172.16.201.4 ?
Did you check the internal firewall from the machines?
On any VM on Azure, can you ping the client?

You don't need any additional configuration for this communication to work

Best

tuioku 11 Reputation points

2022-08-29T06:51:58.237+00:00

Thank you for your reply.

I was able to send a ping from mac or jetson (ubuntu 18.04) on azure
VM on azure from mac or jetson (ubuntu 18.04).

However, pinging from azure vm on azure vnet to mac times out.

Do VMs on azure also need to join openVPN?

■ mac （private IP Address 192.168.100.240）
ping 10.1.0.4
PING 10.1.0.4 (10.1.0.4): 56 data bytes
64 bytes from 10.1.0.4: icmp_seq=0 ttl=64 time=15.291 ms
64 bytes from 10.1.0.4: icmp_seq=1 ttl=64 time=40.406 ms
64 bytes from 10.1.0.4: icmp_seq=2 ttl=64 time=9.998 ms

■ azure vm on azure vnet
azureuser@vpn-test:~/workspace/tmp$ ping 192.168.100.240
PING 192.168.100.240 (192.168.100.240) 56(84) bytes of data.
..
.
tuioku 11 Reputation points

2022-08-29T07:25:10.627+00:00

If it is a vpn ip address, the ping exchange between the two sides was successful.

■ mac
ifconfig
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
ether 90:9c:4a:c6:a7:20
inet6 fe80::c0b:3f38:26e1:ed1e%en0 prefixlen 64 secured scopeid 0x6
inet 192.168.100.240 netmask 0xffffff00 broadcast 192.168.100.255
utun9: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
inet 172.16.201.4 --> 172.16.201.4 netmask 0xffffff00

ping 10.1.0.4
PING 10.1.0.4 (10.1.0.4): 56 data bytes
64 bytes from 10.1.0.4: icmp_seq=0 ttl=64 time=9.807 ms

■ vm
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:22:48:68:41:f6 brd ff:ff:ff:ff:ff:ff
inet 10.1.0.4/24 brd 10.1.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::222:48ff:fe68:41f6/64 scope link
valid_lft forever preferred_lft forever

ing 172.16.201.4
PING 172.16.201.4 (172.16.201.4) 56(84) bytes of data.
64 bytes from 172.16.201.4: icmp_seq=1 ttl=64 time=6.51 ms
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2022-08-29T12:05:57.173+00:00

Hi @tuioku

Your MAC's private network is not declared anywhere, so the vpn gateway will not be able to respond to the ping.

Communication will only work on the address pool network and on the azure vnet network

172.16.201.0/24

If you ping between the ips of the vpn clients it should work, such as:

from client 1 (172.16.201.3) ping to client 2 (172.16.201.4)

From 172.16.201.0/24 clients will ping to 10.0.0.0/16 and 10.1.0.0/16
tuioku 11 Reputation points

2022-08-30T00:49:16.917+00:00

Thank you for your reply.

If I want to do files and communication from mac side to VM on azure via curl or wget, what kind of configuration is needed?

■ mac
wget http://10.1.0.4:8080/test1.txt
--2022-08-29 16:50:12-- (試行: 2) http://10.1.0.4:8080/test1.txt
10. 1.0.4:8080 に接続しています... 失敗しました: Connection refused.

→ This is a request from mac to VM on azure.

■ azure vm
azureuser@vpn-test:~/workspace/tmp$ http-server -p 8080 .
Starting up http-server, serving .

http-server version: 14.1.1

Available on:
http://127.0.0.1:8080
http://10.1.0.4:8080
Hit CTRL-C to stop the server

[Mon Aug 29 2022 07:50:11 GMT+0000 (Coordinated Universal Time)] "GET /test1.txt" "Wget/1.21.3"
_http_outgoing.js:470
throw new ERR_HTTP_HEADERS_SENT('set');

Share via

Azure VPN Ping doesn't reach

1 answer

Your answer