https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-vpn-traffic-to-azure-site-to-site-vpn-not-working/m-p/540768#M3990 <P>Hi,</P> <P>&nbsp;</P> <P>The issue i'm encountering is related to one our vpn client(server) which cannot use directly a S2S connection and must use a P2S connection that is always activated at all time.</P> <P>We want from one of our virtual machine in azure to access this server through the S2S vpn and then through the global protect to reach the server at the end.</P> <P>Our achitecture is currently with a virtual machine set up with&nbsp; a point to site connection to our onpremise datacenter and a site to site vpn to azure(virtual network gateway).</P> <P>Unfortunately, even after creating static routes i see the traffic is allowed through our security policies but always end with an aged-out message and no connectivity between the vpn client and the azure network is established.</P> <P>&nbsp;</P> <P>Does someone know if that setup is supported with static routes configured or do we need to use another way of routing our traffic with bgp for exemple ?</P> <P>&nbsp;</P> <P>Thanks in advance for all your help or advices.</P> <P>&nbsp;</P> <P>Cordially,</P> <P>Alexis DINET</P> <P>OHC</P> Tue, 02 May 2023 12:48:56 GMT FS-EXP 2023-05-02T12:48:56Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-vpn-traffic-to-azure-site-to-site-vpn-not-working/m-p/540768#M3990 <P>Hi,</P> <P>&nbsp;</P> <P>The issue i'm encountering is related to one our vpn client(server) which cannot use directly a S2S connection and must use a P2S connection that is always activated at all time.</P> <P>We want from one of our virtual machine in azure to access this server through the S2S vpn and then through the global protect to reach the server at the end.</P> <P>Our achitecture is currently with a virtual machine set up with&nbsp; a point to site connection to our onpremise datacenter and a site to site vpn to azure(virtual network gateway).</P> <P>Unfortunately, even after creating static routes i see the traffic is allowed through our security policies but always end with an aged-out message and no connectivity between the vpn client and the azure network is established.</P> <P>&nbsp;</P> <P>Does someone know if that setup is supported with static routes configured or do we need to use another way of routing our traffic with bgp for exemple ?</P> <P>&nbsp;</P> <P>Thanks in advance for all your help or advices.</P> <P>&nbsp;</P> <P>Cordially,</P> <P>Alexis DINET</P> <P>OHC</P> Tue, 02 May 2023 12:48:56 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-vpn-traffic-to-azure-site-to-site-vpn-not-working/m-p/540768#M3990 FS-EXP 2023-05-02T12:48:56Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-vpn-traffic-to-azure-site-to-site-vpn-not-working/m-p/541137#M4004 <P>Hello,</P> <P>Check the logs and see if the PAN is seeing applications or if it just says 'incomplete'. If it says incomplete, there is a routing issue as the PAN has not seen enough packets to make an application determination (this is what I have seen as the most common reason for this). Perhaps its asymetric routing?</P> <P>Regards,</P> Thu, 04 May 2023 21:59:50 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-vpn-traffic-to-azure-site-to-site-vpn-not-working/m-p/541137#M4004 OtakarKlier 2023-05-04T21:59:50Z