topic S2S between PA3250 and Azure VPN Gateway -1 way traffic in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/s2s-between-pa3250-and-azure-vpn-gateway-1-way-traffic/m-p/1231608#M5985 <P>HI everyone, for a long time we have had a functioning VPN gateway between our on premise 3250 and and Azure VPN Gateway.</P> <P>Recently, we have observed that appear to be unable to send traffic from the PA side, to Azure. Including return traffic.</P> <P>&nbsp;</P> <P>Here's what I am observing.&nbsp; The Tunnel is up.</P> <P>When I send traffic from the Azure Side, I see it appearing on the on premise Palo. So for example a ping, I see it arrive in the traffic monitor, and pass between the correct zones to the destination as allowed traffic.&nbsp;&nbsp;</P> <P>However, the echo reply never gets back to Azure.</P> <P>&nbsp;</P> <P>Conversely, if I send a ping from the PA, top the azure side, on the PA I see the traffic pass through the correct zones, and if I look at the egress traffic on the interface (QOS monitor) I see the ping sessions.&nbsp; However we never get a reply.</P> <P>All traffic both inbound and outbound reports as "aging out" on the PA.&nbsp; I would expect the ping to age out on that anyway as per ICMP, but other types of traffic are also aging out. Such as RDP.</P> <P>&nbsp;</P> <P>When I run a packet capture on destination machines on the azure side, I do not see any traffic originating from the PA side at all.</P> <P>&nbsp;</P> <P>When I run a packet capture on the VPN Gateway, All i see is ESP traffic between both sides.</P> <P>&nbsp;</P> <P>When I run the network monitor on the azure side to check im not blocking anything on the NSG, this verifies the matching rule, with an allow.</P> <P>We are running 10.2.12-h6.</P> <P>&nbsp;</P> <P>Any input from anyone who has seen a similar issue would be great!</P> <P>&nbsp;</P> <P>Many thanks,</P> <P>Graham.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 12 Jun 2025 08:42:18 GMT CyberEng 2025-06-12T08:42:18Z S2S between PA3250 and Azure VPN Gateway -1 way traffic https://live.paloaltonetworks.com/t5/next-generation-firewall/s2s-between-pa3250-and-azure-vpn-gateway-1-way-traffic/m-p/1231608#M5985 <P>HI everyone, for a long time we have had a functioning VPN gateway between our on premise 3250 and and Azure VPN Gateway.</P> <P>Recently, we have observed that appear to be unable to send traffic from the PA side, to Azure. Including return traffic.</P> <P>&nbsp;</P> <P>Here's what I am observing.&nbsp; The Tunnel is up.</P> <P>When I send traffic from the Azure Side, I see it appearing on the on premise Palo. So for example a ping, I see it arrive in the traffic monitor, and pass between the correct zones to the destination as allowed traffic.&nbsp;&nbsp;</P> <P>However, the echo reply never gets back to Azure.</P> <P>&nbsp;</P> <P>Conversely, if I send a ping from the PA, top the azure side, on the PA I see the traffic pass through the correct zones, and if I look at the egress traffic on the interface (QOS monitor) I see the ping sessions.&nbsp; However we never get a reply.</P> <P>All traffic both inbound and outbound reports as "aging out" on the PA.&nbsp; I would expect the ping to age out on that anyway as per ICMP, but other types of traffic are also aging out. Such as RDP.</P> <P>&nbsp;</P> <P>When I run a packet capture on destination machines on the azure side, I do not see any traffic originating from the PA side at all.</P> <P>&nbsp;</P> <P>When I run a packet capture on the VPN Gateway, All i see is ESP traffic between both sides.</P> <P>&nbsp;</P> <P>When I run the network monitor on the azure side to check im not blocking anything on the NSG, this verifies the matching rule, with an allow.</P> <P>We are running 10.2.12-h6.</P> <P>&nbsp;</P> <P>Any input from anyone who has seen a similar issue would be great!</P> <P>&nbsp;</P> <P>Many thanks,</P> <P>Graham.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 12 Jun 2025 08:42:18 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/s2s-between-pa3250-and-azure-vpn-gateway-1-way-traffic/m-p/1231608#M5985 CyberEng 2025-06-12T08:42:18Z Re: S2S between PA3250 and Azure VPN Gateway -1 way traffic https://live.paloaltonetworks.com/t5/next-generation-firewall/s2s-between-pa3250-and-azure-vpn-gateway-1-way-traffic/m-p/1231610#M5986 <P>Id just like to add, I have performed a packet capture on a machine inside the network, pinging from the azure side and I see the packets arrive on the machine itself.&nbsp; I also see the echo reply go back out.&nbsp; But it never arrives at the azure destination.</P> <P>&nbsp;</P> <P>Thanks!</P> Thu, 12 Jun 2025 09:47:47 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/s2s-between-pa3250-and-azure-vpn-gateway-1-way-traffic/m-p/1231610#M5986 CyberEng 2025-06-12T09:47:47Z