Well--I made some progress. I can now increment the encap and decap on both sides. The static route I added was to the specific inside address of the endpoint device, via tunnel.2. So now I can increase packet and encapsulation counters on both sides but they still dont communicate traffic through. Which would make you think firewall rule? Me too. But I added an allow any/any for a brief moment...nadda. Nothing went through. Which brings me back to a routing issue? Any help would be super appreciated. Thx!
... View more
Ok, I've been stumped for a few days now. I dropped a support call in for help, but they are taking their time...and I am behind schedule. LOL. I have a PA-VM-100. Its sitting in an azure cloud. There is an NSG on the Trust, Web (DMZ), and Mgmt interfaces, and a separate NSG on the Untrust. The IPSEC tunnel is green on both phases 1 and 2. I have routes on Trust, and Web, plus the virtual router set. The endpoint of the tunnel can tracert to the appropriate address so I am assuming it is not the endpoint that is misconfigured. The firewall, however, while showing appropriate routes on the CLI, cannot tracert to the appropriate address. The tunnel on the firewall side shows packets encapping but not decapping. So traffic isnt coming back, but I think traffic never leaves. On the endpoint I see the same data, packets are encapsulated but nothing coming back. Any ideas? The complexity of azure on top of the firewall is a little annoying. I am wondering if the untrust needs a routing table in azure? idk. Any pointers would be epic. Also-- did a pcap on both ends, they aren't dropped, and I see them on firewall and rx but not tx.
... View more