- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-11-2021 10:00 PM - edited 08-23-2021 01:24 AM
Hi there,
We have deployed Hub and Spoke technology in Azure. All VM traffic is going through the FW. Settings of Spoke VM is same as Hub VM. NSG set to allow all traffic.
FW is configured with 3 VR static routes (one route to the internet, one from Hub to Trusted Interface of PA and another route from Spoke to Trusted interface of PA), SNAT and DNAT rule and one Allow All policy. Using 8.8.8.8 and 4.4.2.2 as Primary and secondary DNS servers. Service route Config is via Management interface. No drop seen in packet capture.
> show counter global filter packet-filter yes delta yes
Global counters:
Elapsed time since last sampling: 15.265 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 2 0 info packet pktproc Packets received
pkt_sent 18 1 info packet pktproc Packets transmitted
session_allocated 7 0 info session resource Sessions allocated
session_installed 7 0 info session resource Sessions installed
flow_host_pkt_xmt 72 4 info flow mgmt Packets transmitted to control plane
flow_host_vardata_rate_limit_ok 72 4 info flow mgmt Host vardata not sent: rate limit ok
flow_ip_cksm_sw_validation 15 0 info flow pktproc Packets for which IP checksum validation was done in software
appid_ident_by_icmp 3 0 info appid pktproc Application identified by icmp type
nat_dynamic_port_xlat 7 0 info nat resource The total number of dynamic_ip_port NAT translate called
dfa_sw 3 0 info dfa pktproc The total number of dfa match using software
ctd_pscan_sw 3 0 info ctd pktproc The total usage of software for pscan
ctd_process 3 0 info ctd pktproc session processed by ctd
ctd_pkt_slowpath 3 0 info ctd pktproc Packets processed by slowpath
--------------------------------------------------------------------------------
Total counters shown: 13
--------------------------------------------------------------------------------
>ping google.com
Pinging google.com [142.250.76.110] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
ping to 8.8.8.8 failed. Spoke VM cannot browse the Internet. Traffic log shows TCP-RST-SERVER. No log seen in the Threat log.
Disabled defender firewall but no luck. Please advise how to fix the issue.
08-12-2021 02:41 AM
All VM's without a public IP has connectivity to internet, even when you haven't associated a NSG to subnet/NIC. Once you have associated it.
08-12-2021 04:33 AM - edited 08-23-2021 01:24 AM
Hi @reaper
If you don't mind helping me out with this post pls.
.4 is assigned to the three interfaces (mgmt, untrust and untrust) of PA.
VM from Hub side (DC Subnet shown in the screenshot) can access the Internet. VM from Spoke (Dev Subnet shown in the screenshot) cannot.
I tried adding the vnet subnets as well but no luck.
I have already checked this post below.
08-13-2021 03:27 PM
Do you think NATTing in PA is causing the issue?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!