The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Virtual Machines!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
Can't ping nor RDP VPN site to site connection RRS feed

  • Question

  • I have free Azure subscription which I created a Network and connected it to a virtual machine. I followed the procedure for creating a site - to site connection on Azure portal and when completed, I could see that the network connected and data flowing in and out of both the Azure VPN and my local device VPN. However, when I want to ping either of my windows server 2019 or 2016 on either the VM or On-premise server, I get a timed out message. My local VPN device is a Fortigate 101E v5.6.9. Is there something I am missing?

    • Edited by olakunzo Tuesday, June 25, 2019 3:54 PM
    Tuesday, June 25, 2019 3:51 PM

All replies

  • It could simply be local firewall on the VM OS?

    Can you telnet on an open port from server-server in either direction?

    Joe

    Tuesday, June 25, 2019 3:52 PM
  • When you set the VPN up on your on-premises, did you also add an ACL to allow access over 3389 (RDP) and for ICMP traffic?

    I've never set this up on a Fortigate before but on Cisco devices, the config you download from the Azure portal does not include an ACL to allow access.  The config is only for the tunnel as it doesnt assume you want all ports to be open.

    Thanks,

    Matt

    Tuesday, June 25, 2019 6:57 PM
  • Dear Matt,

    With fortigate, there is firewall policy which set an incoming and outgoing interfaces for both outgoing and incoming traffic which I set to "ALL" Services. 

    Tuesday, June 25, 2019 7:03 PM
  • Then as Joe said...its probably Windows Firewall on the VM then as that is enabled by default?

    Thanks,

    Matt

    Tuesday, June 25, 2019 7:05 PM
  • Firewall is disabled for both private and public connections
    Tuesday, June 25, 2019 7:15 PM
  • Hi,

    Is the VM on the same vNET as the VPN gateway and the VM subnet is included in the VPN config file?  Can you ping from Azure to the on-prem servers?

    Is the VPN gateway in Azure active/active or just a single one?

    Thanks,

    Matt


    Tuesday, June 25, 2019 7:19 PM
  • The VM is on the same vNET on the Azure Gateway however, the fortigate VPN subnet isn't same as that of Azure so as to avoid overlapping. Azure uses 10.10.0.0 and local server uses 10.100.0.0 passing traffic through the Fortigate device. I can't ping either on Azure nor on-premise server.
    Tuesday, June 25, 2019 7:40 PM
  • Run a tracert in both directions, where is the traffic dropping?
    Tuesday, June 25, 2019 8:14 PM
  • Hi Joe,

    So i did tracert and was follows:

    Azure VM timed out irrespective of the IP including that of the On-Premise server, Google and others

    On-Premise server responds accordingly until it gets to the point of entry into the Azure environment and starts timing out.

    On the Azure portal for the VM, under Networking, I have opened up all the ports for incoming and outgoing interfaces (ANY protocol)

    Thank you.


    Wednesday, June 26, 2019 12:44 PM
  • Look at the NIC attached to your Azure VM. There is a tab for effective routes.

    Do you see your local address space there with a next hop of "Virtual Network Gateway"

    Wednesday, June 26, 2019 2:04 PM
  • Wednesday, June 26, 2019 2:34 PM
  • Hi Joe,

    Where the pictures visible enough?

    Wednesday, June 26, 2019 3:29 PM
  • Hi, it's the next option. You've screengrabbed effective security rules. 


    What is in "Effective Routes"?

    Wednesday, June 26, 2019 6:58 PM
  • Please see what's in the Effective security rules

    Wednesday, June 26, 2019 7:20 PM
  • Outbound Rules

    Wednesday, June 26, 2019 7:21 PM