VMs cannot access the Internet

Showing results for 
Show  only  | Search instead for 
Did you mean: 

VMs cannot access the Internet

L2 Linker



Hope I get some direction/solution here.


VM ( can ping trusted interface ( of PA but with packet loss!!! However, tracert does not show the trusted interface as next hop....request timed out. Cannot go to the Internet.


All NSG set to allowed. PA has the most basic config at this stage with Allow All Policy. 


Tried to bypass asymmetric routing. Show counter global filter did not show any drop packets. 

Would appreciate if anyone can help in solving this puzzle.




L3 Networker



Personally I would set up a packet capture at the receive, transmit and drop stages, then check:

1) Does the firewall transmit the request (assuming yes)
2) Does the firewall receive the response from

3) If it does, does it transmit this to the client


You can check the drop capture for any drops, although if the counters are clean you shouldn't be seeing anything there.


Also, open the detailed log view (that magnifying glass at the left-most side of the traffic log) to check NAT was performed and if the NAT IP/interface make sense.


- DM

Sr. Technical Support Engineer, Strata

Hi @dmifsud 


Thank you for your response.


1) Does the firewall transmit the request >YES
2) Does the firewall receive the response from>NO

3) If it does, does it transmit this to the client>There is nothing in between FW and VM

4) No drop seen in global counter. I have turned off DPDK setting.

> show counter global filter packet-filter yes delta yes

Global counters:
Elapsed time since last sampling: 7.5 seconds

name value rate severity category aspect description
pkt_sent 1 0 info packet pktproc Packets transmitted
session_allocated 3 0 info session resource Sessions allocated
session_installed 3 0 info session resource Sessions installed
flow_ip_cksm_sw_validation 3 0 info flow pktproc Packets for which IP checksum validation was done in software
appid_ident_by_icmp 3 0 info appid pktproc Application identified by icmp type
nat_dynamic_port_xlat 3 0 info nat resource The total number of dynamic_ip_port NAT translate called
dfa_sw 3 0 info dfa pktproc The total number of dfa match using software
ctd_pscan_sw 3 0 info ctd pktproc The total usage of software for pscan
ctd_process 3 0 info ctd pktproc session processed by ctd
ctd_pkt_slowpath 3 0 info ctd pktproc Packets processed by slowpath


5) NAT seems fine as configured.



Waiting for your response.

Hi @dmifsud 


I am checking on the Azure side.


Just wanted to ask if you have come across this issue below.


1) tracert is failing. It should show the trusted interface of PA as next hop


Tracing route to dns.google []
over a maximum of 30 hops:

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.

2) Same route settings is used for Hub machines and they can access the Internet. Effective routes in Azure is showing the correct path.
The only difference is Spoke VM is on the other side of VNET peering.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!