This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

New VM-100 deployment, cannot ping or tracert to external websites

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New VM-100 deployment, cannot ping or tracert to external websites

rbottiglieri
L1 Bithead

‎08-04-2020 03:04 PM

Just setup a new VM-100 device in Azure. SSL decryption and security policies are in place. My test client PC can browse the web, and all of the policies seem to work.

 

However, I cannot ping or tracert to any public website (e.g., www.apple.com). The DNS resolution works, I see that the ping traffic is allowed in the monitor tab, and I disabled SSL decryption as a test, but it still didn't work.

 

I'm sure that it's something simple, but anyone have any ideas?

 

Thanks!

 

Rich

0 Likes Likes
4 REPLIES 4

RamprakashRT
L3 Networker

‎08-05-2020 01:29 PM

Hi @rbottiglieri ,

Please make sure you have a PublicIP assigned to your untrust interface . In Azure Ping and traceroute will not work if you didnnt have a public IP in the untrust interface. Please try and let me know,

 

Thanks,

Ram

rbottiglieri
L1 Bithead
In response to RamprakashRT

‎08-05-2020 01:33 PM

Hi @RamprakashRT, thanks for this.

 

I had actually just tried that before your post. I originally had a secondary IP address configured on the interface with a public IP address, but that didn't work. So, I scrapped that, and put the public IP address right on the interface. I can now ping, but tracert isn't working. Do I need to modify the NSG to allow all inbound internet traffic on the untrust interface?

 

Thanks.

 

Rich

0 Likes Likes

RamprakashRT
L3 Networker
In response to rbottiglieri

‎08-05-2020 01:48 PM

Hi @rbottiglieri 

 

I suspect the security policy in the firewall. Just to isolate , is it possible to create a plain firewall rule for the test machine by allowing all the traffic in the firewall.  Also untrust interface outbound NSG 'allow all' and trust interface inbound NSG 'allow all'.

 

Thanks,

Ram

0 Likes Likes

rbottiglieri
L1 Bithead
In response to RamprakashRT

‎08-05-2020 02:26 PM

@RamprakashRT,

 

I did some digging, and I think the issue is that Azure does not permit you to ping the default gateway in an Azure VNET. Check out this doc:

 

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq

 

Adding the public IP to the interface, I can now ping public internet addresses. However, traceroute does not work, and by the looks of things, it is not supposed to work.

 

Thanks for the help.

 

Rich

0 Likes Likes
  • 5240 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks