- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Having a frustrating time with VM-Series integration inside an Azure Stack Hub (2108, Disconnected) - Setup is as follows:
>Installed from 8.1 marketplace image using basic 3 NIC template - then upgraded (in many stages) to 10.2.1.
>Single firewall is positioned in hub VNet, with bidirectional VNet peering to the hosting VNets. No load balancer.
>The firewall has static routes in place (in a single virtual router) to the 'router' address of each subnet on the hosting VNets. (i.e network addr +1)
>A routing table is in place for all subnets required, pointing them to the trusted interface IP.
>No NSGs are in place on the hosting VNets.
>An intra-zone rule is in place to allow all traffic
Testing reveals that:
>The firewall can ping all the hosts in the hosting VNets through the trusted interface.
>Prior to enabling the route table in Azure, hosts pinging the trusted firewall interface do not get a reply, but are shown in the traffic log.
>After enabling the full redirection via the trusted firewall interface, attempts to contact hosts on other VNets or subnets in the system fail, but the traffic is seen (as allowed) in the firewall log. Nothing gets through or re-routed though - I have tried with and without a noNAT to make sure that wasn't the issue.
>A packet capture reveals the firewall sending ARPs for the address of the subnet router addresses - but cannot see if it gets a reply.
So what do we think is happening here? It's like the firewall isn't able to reach the router address in the subnet, even though I can see that it can.
Have I missed something? Asymmetric routing perhaps?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!