No traffic between VMs and PA in Azure

cancel
Showing results for 
Search instead for 
Did you mean: 

No traffic between VMs and PA in Azure

L2 Linker

Hi there,

 

We have deployed PA-VM in Azure and there are other 4 VMs within the same vnet. There are NSGs on each interface of PA (mgmt, trusted, untrusted) and also on the VMs. There is allowed-all rule in the PA with intrazone default rule logging enabled. Ping is also enabled. There is no switch or other device between the VMs and PA. Routing table has Next hop address of PA trusted Interface.

 

However, we have noticed that ping/tracert to Trusted interface (10.8.1x.x) from the VMs (for example, 10.8.1.3 and 10.8.2.3) are failing. Ping to 10.8.1.3 and 10.8.2.3 is successful. Tried removing the NSG but no luck. For all the VMs, Src and Dest Address is set as Any in Azure.

Because of this, internal VMs cannot access the Internet.

Any help would be appreciated!

 

C:\Windows\system32>ping 10.8.1x.x

Pinging 10.8.1x.x with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.8.1x.x:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @reaper 

 

Sorry I deleted my previous post as it was the response from another discussion that I have created.

I have solved this issue (ping fails in same subnet) by unticking Packet Buffer Protection.

 

Global counters:
Elapsed time since last sampling: 34.223 seconds

name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 32 0 info packet pktproc Packets received
flow_dos_pbp_drop 57 1 drop flow dos Packets dropped: Dropped by packet buffer protection RED
flow_dos_drop_ip_blocked 11 0 drop flow dos Packets dropped: Flagged for blocking and under block duration by DoS or other modules
--------------------------------------------------------------------------------
Total counters shown: 3
--------------------------------------------------------------------------------

 

It was enabled by default so didn't catch our attention at first. Not sure, if it is a new thing in ver 10.1.

I will close this thread.

 

@kiwi  sorry about that. Now I know where to post VM/cloud related issues.

 

Could you pls move this post below of mine as well?

 

https://live.paloaltonetworks.com/t5/general-topics/azure-vm-cannot-access-the-internet/m-p/426333#M...

View solution in original post

3 REPLIES 3

Community Team Member

Hi @Connected123 ,

 

In order to get better traction for this, I have moved this discussion to the VM Series in the public cloud area.

 

Cheers,

-Kiwi

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!

Cyber Elite
Cyber Elite

Didn't azure reserver .1 through .4? Try setting the panw to .5?

Tom Piens
PANgurus - (co)managed services and consultancy

Hi @reaper 

 

Sorry I deleted my previous post as it was the response from another discussion that I have created.

I have solved this issue (ping fails in same subnet) by unticking Packet Buffer Protection.

 

Global counters:
Elapsed time since last sampling: 34.223 seconds

name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 32 0 info packet pktproc Packets received
flow_dos_pbp_drop 57 1 drop flow dos Packets dropped: Dropped by packet buffer protection RED
flow_dos_drop_ip_blocked 11 0 drop flow dos Packets dropped: Flagged for blocking and under block duration by DoS or other modules
--------------------------------------------------------------------------------
Total counters shown: 3
--------------------------------------------------------------------------------

 

It was enabled by default so didn't catch our attention at first. Not sure, if it is a new thing in ver 10.1.

I will close this thread.

 

@kiwi  sorry about that. Now I know where to post VM/cloud related issues.

 

Could you pls move this post below of mine as well?

 

https://live.paloaltonetworks.com/t5/general-topics/azure-vm-cannot-access-the-internet/m-p/426333#M...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!