topic IPSec Tunnel is up but not passing traffic (On-Prem to Azure Palo Alto VM) in VM-Series in the Public Cloud

IPSec Tunnel is up but not passing traffic (On-Prem to Azure Palo Alto VM)

C.Moore927039 — Mon, 31 Mar 2025 14:27:54 GMT

Hi guys.

GOAL:
I have an office in India with several users. They need to access a server in Azure that sits behind Virtual PA using Global Protect.

I have successfully setup an IPSec Tunnel between my On-prem PA and an Azure PA, however, I am not passing any traffic in either direction.
I suspect I might be over simplifying this deployment. I chose the "2-Arm" PA deployment in Azure. This gave me 3 Interfaces for which I had to define 3 subnets as shown in the image above.
This is a new concept for me. I am used to a single Internal subnet NAT'd out to a Public IP.

I feel like I am missing components for this deployment and that a "Single-Arm" Azure VM deployment is probably what I need.

Regardless, if anyone has some input they can provide, please let me know, I would greatly appreciate it.

Thanks!

Re: IPSec Tunnel is up but not passing traffic (On-Prem to Azure Palo Alto VM)

J.Quintero — Mon, 31 Mar 2025 22:38:53 GMT

Do you have any security policy in place to allow traffic from IPSEC tunnel to on-prem zone and vice versa?

Re: IPSec Tunnel is up but not passing traffic (On-Prem to Azure Palo Alto VM)

C.Moore927039 — Mon, 07 Apr 2025 15:00:20 GMT

As I am new to Palo Atlo's in Azure, it is important to note that the "outside" Interface is not assigned a Public IP address in the IKE Gateway settings as shown below. Since Azure associates a Public IP to your (non-routable) IP address, but routable in Azure if that makes sense, it it left blank. Typically you would have a Public IP assigned directly to your "outside" interface. After setting the interface to "None" as shown below, traffic started flowing.