locked
Azure VPN Connected to Company Network, but not able to connect VMs RRS feed

  • Question

  • Hi,

    i have setup some azure vms (iaas), assigned to a virtual network, connected to a local network over the gateway.

    Azure Management Status shows everything ok (connected) and the corporate firewall shows also a established site-to-site vpn.

    Problem is, i am unable to connect to the vms from corporate network. also connecting from azure to corporate does not work.

    Windows Firewall on vms is disabled. I have tested with Ping and RDP. No Connection.

    When i do a tracert from corporate network to a private ip of the azure vm, i get only one hop responding. This hop is the ip address of the azure gateway server. So i think data is correct transfered from corporate network to azure, but the azure server does not respond or take a wrong route?

    TraceRoute from Corporate Network to an Azure VM

    Any Ideas?

    Best regards

    Marc

    Friday, July 13, 2012 12:26 PM

All replies

  • Hi Marc,

    Can you please let us know what VPN device you are using. Please let us know if you set a cap on the MTU size in the interface. Can you also let us know if you see phase1 and phase 2 crypto negotiations on your VPN device for all subnet pairs ?

    Can you also let me know if VM -to VM communication within the virtual network is ok?

    Thanks,

    Ganesh Srinivasan

    Saturday, July 14, 2012 4:01 PM
  • Hi Ganesh,

    sorry for the late reply.

    VPN Device is a Sonicwall NSA 240.

    MTU Size on WAN Interface is 1492.

    I can see the proposal in phase 2 shows the correct adress range. It shows not the subnet, instead the adress range (172.16.100.0/255.255.252.0)

    Configuration on azure is

    Adress Range: 172.16.100.0/22
    Server Subnet: 172.16.100.0/24
    Gateway Subnet: 172.16.101.0/24

    VM to VM Communication is working.

    Best Regards

    Marc


    • Edited by Gut Marc Monday, July 16, 2012 9:58 AM
    Monday, July 16, 2012 9:57 AM
  • Hi

    Same issue for me. Do we have to setup additional static routes on GW on corporate side ?

    Rgds

    Cedric

    Monday, July 16, 2012 12:42 PM
  • Hi,

    I have a similar issue.

    Azure portal shows vpn connected

    Sonic wall shows as connected vpn.

    Sonic shows tunnels active

    No ping to remote network or from remote network.

    Confused.

    B...

    Thursday, August 2, 2012 6:26 PM
  • Hi,

    yesterday my issue was resolved.

    It was a wrong configuration on microsoft side.

    Now everything is working correctly.

    Best Regards

    Marc

    Friday, August 3, 2012 5:56 AM
  • Im having the same issue with a Juniper SSG. What did you change to resolve?
    Friday, August 10, 2012 5:02 AM
  • Hi,

    I managed to resolve this on my SONICWALL NSA 4500 by going into the adanced settings of the VPN anf enabling the option NAT Traversal, this i think is mentioned somewhere on the requirements as NAT-T.

    It was a global setting on my Sonicwall.

    I have another issue which you might come across and I have as yet been unable to resolve.

    The problem is that I habve connected my Azure network to my corp network where most of my servers are located. However we have a central data center for all the offices and our main DC is in that centre. This data centre is essentially considered by the Sonicwall to be a remote vpn. Although in theory it is possible to set up vpn to vpn routing in a hub / spoke setup this is proving tricky when I only have access to one firewall to configure.

    B...

    Friday, August 10, 2012 7:23 AM
  • Hi Marc,

    I have been having issues connecting my Sonicwall TZ210 to Windows Azure (iaas). When I look at the logs I see a bunch of “IKE Initiator: Remote party timeout - Retransmitting IKE request” entries. Can I please see a screen shot of how you have your VPN configured (Tabs: General, Network, Proposals, and Advanced). If you want to contact me via email at Shahiq@ittotalcare.com instead that will be great. Thank you!

    Thursday, October 18, 2012 7:44 PM
  • Hi Bruce,

    I have been having issues connecting my Sonicwall TZ210 to Windows Azure (iaas). When I look at the logs I see a bunch of “IKE Initiator: Remote party timeout - Retransmitting IKE request” entries. Can I please see a screen shot of how you have your VPN configured (Tabs: General, Network, Proposals, and Advanced). If you want to contact me via email at Shahiq@ittotalcare.com instead that will be great. Thank you!

    Thursday, October 18, 2012 8:02 PM
  • Hi

    I had very similar problems with a Juniper firewall. This may point you in the right direction.

    The solution was that the Azure PEER ID needed entering against Azure VPN Gateway. The PEER ID isnt something Microsoft display on the Azure site though. I had to debug the traffic from the Juniper to spot it. For me it turned out to be 10.10.0.4... the first IP address of my VM was 10.10.0.6. So maybe the PEER ID is always 2 down from the lowest IP address for you VMs.

    I used Patrick Russo's solution at http://social.msdn.microsoft.com/Forums/en/WAVirtualMachinesVirtualNetwork/thread/58a6f485-f023-4ca7-b0b8-7f629beb879a

    Hope this helps

    M


    Friday, October 19, 2012 12:49 PM
  • Thank you for sharing your experience with us.
    Monday, October 29, 2012 11:35 PM