Azure VM cannot access the Internet

Connected123 — Mon, 23 Aug 2021 08:24:07 GMT

Hi there,

We have deployed Hub and Spoke technology in Azure. All VM traffic is going through the FW. Settings of Spoke VM is same as Hub VM. NSG set to allow all traffic.

FW is configured with 3 VR static routes (one route to the internet, one from Hub to Trusted Interface of PA and another route from Spoke to Trusted interface of PA), SNAT and DNAT rule and one Allow All policy. Using 8.8.8.8 and 4.4.2.2 as Primary and secondary DNS servers. Service route Config is via Management interface. No drop seen in packet capture.

> show counter global filter packet-filter yes delta yes

Global counters:
Elapsed time since last sampling: 15.265 seconds

name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 2 0 info packet pktproc Packets received
pkt_sent 18 1 info packet pktproc Packets transmitted
session_allocated 7 0 info session resource Sessions allocated
session_installed 7 0 info session resource Sessions installed
flow_host_pkt_xmt 72 4 info flow mgmt Packets transmitted to control plane
flow_host_vardata_rate_limit_ok 72 4 info flow mgmt Host vardata not sent: rate limit ok
flow_ip_cksm_sw_validation 15 0 info flow pktproc Packets for which IP checksum validation was done in software
appid_ident_by_icmp 3 0 info appid pktproc Application identified by icmp type
nat_dynamic_port_xlat 7 0 info nat resource The total number of dynamic_ip_port NAT translate called
dfa_sw 3 0 info dfa pktproc The total number of dfa match using software
ctd_pscan_sw 3 0 info ctd pktproc The total usage of software for pscan
ctd_process 3 0 info ctd pktproc session processed by ctd
ctd_pkt_slowpath 3 0 info ctd pktproc Packets processed by slowpath
--------------------------------------------------------------------------------
Total counters shown: 13
--------------------------------------------------------------------------------

>ping google.com

Pinging google.com [142.250.76.110] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

ping to 8.8.8.8 failed. Spoke VM cannot browse the Internet. Traffic log shows TCP-RST-SERVER. No log seen in the Threat log.

Disabled defender firewall but no luck. Please advise how to fix the issue.

Re: Azure VM cannot access the Internet

Perez15 — Thu, 12 Aug 2021 09:41:16 GMT

All VM's without a public IP has connectivity to internet, even when you haven't associated a NSG to subnet/NIC. Once you have associated it.

Re: Azure VM cannot access the Internet

Connected123 — Mon, 23 Aug 2021 08:24:53 GMT

Hi @reaper

If you don't mind helping me out with this post pls.

.4 is assigned to the three interfaces (mgmt, untrust and untrust) of PA.

VM from Hub side (DC Subnet shown in the screenshot) can access the Internet. VM from Spoke (Dev Subnet shown in the screenshot) cannot.

I tried adding the vnet subnets as well but no luck.

I have already checked this post below.

https://live.paloaltonetworks.com/t5/general-topics/azure-palo-alto-arp-not-found/m-p/336411/thread-id/84754/highlight/false#M84756

Re: Azure VM cannot access the Internet

Connected123 — Fri, 13 Aug 2021 22:27:22 GMT

Do you think NATTing in PA is causing the issue?

topic Re: Azure VM cannot access the Internet in General Topics

Azure VM cannot access the Internet

Re: Azure VM cannot access the Internet

Re: Azure VM cannot access the Internet

Re: Azure VM cannot access the Internet