PA VM IPSEC Tunnels in Azure

cancel
Showing results for 
Search instead for 
Did you mean: 

PA VM IPSEC Tunnels in Azure

L0 Member

Ok, I've been stumped for a few days now. I dropped a support call in for help, but they are taking their time...and I am behind schedule. LOL.

 

I have a PA-VM-100. Its sitting in an azure cloud. There is an NSG on the Trust, Web (DMZ), and Mgmt interfaces, and a separate NSG on the Untrust. The IPSEC tunnel is green on both phases 1 and 2. I have routes on Trust, and Web, plus the virtual router set. The endpoint of the tunnel can tracert to the appropriate address so I am assuming it is not the endpoint that is misconfigured. The firewall, however, while showing appropriate routes on the CLI, cannot tracert to the appropriate address. The tunnel on the firewall side shows packets encapping but not decapping. So traffic isnt coming back, but I think traffic never leaves. On the endpoint I see the same data, packets are encapsulated but nothing coming back. Any ideas? The complexity of azure on top of the firewall is a little annoying. I am wondering if the untrust needs a routing table in azure? idk. Any pointers would be epic. Also-- did a pcap on both ends, they aren't dropped, and I see them on firewall and rx but not tx. 

1 REPLY 1

L0 Member

Well--I made some progress. I can now increment the encap and decap on both sides. The static route I added was to the specific inside address of the endpoint device, via tunnel.2. So now I can increase packet and encapsulation counters on both sides but they still dont communicate traffic through. Which would make you think firewall rule? Me too. But I added an allow any/any for a brief moment...nadda. Nothing went through. Which brings me back to a routing issue? Any help would be super appreciated.

 

Thx!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!