topic Re: VMs cannot access the Internet in VM-Series in the Public Cloud

VMs cannot access the Internet

Connected123 — Mon, 23 Aug 2021 08:22:04 GMT

Hello,

Hope I get some direction/solution here.

VM (10.9.8.4) can ping trusted interface (10.8.130.4) of PA but with packet loss!!! However, tracert 8.8.8.8 does not show the trusted interface as next hop....request timed out. Cannot go to the Internet.

All NSG set to allowed. PA has the most basic config at this stage with Allow All Policy.

Tried to bypass asymmetric routing. Show counter global filter did not show any drop packets.

Would appreciate if anyone can help in solving this puzzle.

Re: VMs cannot access the Internet

dmifsud — Sat, 14 Aug 2021 15:49:14 GMT

Hello,

Personally I would set up a packet capture at the receive, transmit and drop stages, then check:

1) Does the firewall transmit the request (assuming yes)
2) Does the firewall receive the response from 8.8.8.8

3) If it does, does it transmit this to the client

You can check the drop capture for any drops, although if the counters are clean you shouldn't be seeing anything there.

Also, open the detailed log view (that magnifying glass at the left-most side of the traffic log) to check NAT was performed and if the NAT IP/interface make sense.

- DM

Re: VMs cannot access the Internet

Connected123 — Mon, 23 Aug 2021 08:20:56 GMT

Hi @dmifsud

Thank you for your response.

1) Does the firewall transmit the request >YES
2) Does the firewall receive the response from 8.8.8.8>NO

3) If it does, does it transmit this to the client>There is nothing in between FW and VM

4) No drop seen in global counter. I have turned off DPDK setting.

> show counter global filter packet-filter yes delta yes

Global counters:
Elapsed time since last sampling: 7.5 seconds

name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_sent 1 0 info packet pktproc Packets transmitted
session_allocated 3 0 info session resource Sessions allocated
session_installed 3 0 info session resource Sessions installed
flow_ip_cksm_sw_validation 3 0 info flow pktproc Packets for which IP checksum validation was done in software
appid_ident_by_icmp 3 0 info appid pktproc Application identified by icmp type
nat_dynamic_port_xlat 3 0 info nat resource The total number of dynamic_ip_port NAT translate called
dfa_sw 3 0 info dfa pktproc The total number of dfa match using software
ctd_pscan_sw 3 0 info ctd pktproc The total usage of software for pscan
ctd_process 3 0 info ctd pktproc session processed by ctd
ctd_pkt_slowpath 3 0 info ctd pktproc Packets processed by slowpath
--------------------------------------------------------------------------------

5) NAT seems fine as configured.

Waiting for your response.

Re: VMs cannot access the Internet

Connected123 — Mon, 16 Aug 2021 01:31:31 GMT

Hi @dmifsud

I am checking on the Azure side.

Just wanted to ask if you have come across this issue below.

1) tracert is failing. It should show the trusted interface of PA as next hop

>tracert 8.8.8.8

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.

2) Same route settings is used for Hub machines and they can access the Internet. Effective routes in Azure is showing the correct path.
The only difference is Spoke VM is on the other side of VNET peering.

Thanks