Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Azure VM cannot access the Internet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Azure VM cannot access the Internet

L2 Linker

Hi there,

 

We have deployed Hub and Spoke technology in Azure. All VM traffic is going through the FW. Settings of Spoke VM is same as Hub VM. NSG set to allow all traffic. 

FW is configured with 3 VR static routes (one route to the internet, one from Hub to Trusted Interface of PA and another route from Spoke to Trusted interface of PA), SNAT and DNAT rule and one Allow All policy. Using 8.8.8.8 and 4.4.2.2 as Primary and secondary DNS servers. Service route Config is via Management interface. No drop seen in packet capture.

 

> show counter global filter packet-filter yes delta yes

Global counters:
Elapsed time since last sampling: 15.265 seconds

name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 2 0 info packet pktproc Packets received
pkt_sent 18 1 info packet pktproc Packets transmitted
session_allocated 7 0 info session resource Sessions allocated
session_installed 7 0 info session resource Sessions installed
flow_host_pkt_xmt 72 4 info flow mgmt Packets transmitted to control plane
flow_host_vardata_rate_limit_ok 72 4 info flow mgmt Host vardata not sent: rate limit ok
flow_ip_cksm_sw_validation 15 0 info flow pktproc Packets for which IP checksum validation was done in software
appid_ident_by_icmp 3 0 info appid pktproc Application identified by icmp type
nat_dynamic_port_xlat 7 0 info nat resource The total number of dynamic_ip_port NAT translate called
dfa_sw 3 0 info dfa pktproc The total number of dfa match using software
ctd_pscan_sw 3 0 info ctd pktproc The total usage of software for pscan
ctd_process 3 0 info ctd pktproc session processed by ctd
ctd_pkt_slowpath 3 0 info ctd pktproc Packets processed by slowpath
--------------------------------------------------------------------------------
Total counters shown: 13
--------------------------------------------------------------------------------

 

>ping google.com

Pinging google.com [142.250.76.110] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

 

ping to 8.8.8.8 failed. Spoke VM cannot browse the Internet. Traffic log shows TCP-RST-SERVER. No log seen in the Threat log.

Disabled defender firewall but no luck. Please advise how to fix the issue.

 

 

 

 

 

 

 

3 REPLIES 3

L0 Member

All VM's without a public IP has connectivity to internet, even when you haven't associated a NSG to subnet/NIC. Once you have associated it.

 

 

L2 Linker

Hi @reaper 

 

If you don't mind helping me out with this post pls.

 

.4 is assigned to the three interfaces (mgmt, untrust and untrust) of PA.

VM from Hub side (DC Subnet shown in the screenshot) can access the Internet. VM from Spoke (Dev Subnet shown in the screenshot) cannot.

I tried adding the vnet subnets as well but no luck.

I have already checked this post below.

https://live.paloaltonetworks.com/t5/general-topics/azure-palo-alto-arp-not-found/m-p/336411/thread-...

 

 

Do you think NATTing in PA is causing the issue?

  • 4806 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!