VM Series and Azure Stack Hub - Routing problem?

Rob_Stevens — Fri, 06 May 2022 19:30:58 GMT

All

Having a frustrating time with VM-Series integration inside an Azure Stack Hub (2108, Disconnected) - Setup is as follows:

>Installed from 8.1 marketplace image using basic 3 NIC template - then upgraded (in many stages) to 10.2.1.

>Single firewall is positioned in hub VNet, with bidirectional VNet peering to the hosting VNets. No load balancer.

>The firewall has static routes in place (in a single virtual router) to the 'router' address of each subnet on the hosting VNets. (i.e network addr +1)

>A routing table is in place for all subnets required, pointing them to the trusted interface IP.

>No NSGs are in place on the hosting VNets.

>An intra-zone rule is in place to allow all traffic

Testing reveals that:

>The firewall can ping all the hosts in the hosting VNets through the trusted interface.

>Prior to enabling the route table in Azure, hosts pinging the trusted firewall interface do not get a reply, but are shown in the traffic log.

>After enabling the full redirection via the trusted firewall interface, attempts to contact hosts on other VNets or subnets in the system fail, but the traffic is seen (as allowed) in the firewall log. Nothing gets through or re-routed though - I have tried with and without a noNAT to make sure that wasn't the issue.

>A packet capture reveals the firewall sending ARPs for the address of the subnet router addresses - but cannot see if it gets a reply.

So what do we think is happening here? It's like the firewall isn't able to reach the router address in the subnet, even though I can see that it can.

Have I missed something? Asymmetric routing perhaps?

topic VM Series and Azure Stack Hub - Routing problem? in VM-Series in the Private Cloud

VM Series and Azure Stack Hub - Routing problem?