| Description | This article describes what happens when NSG is deleted in Azure. |
| Scope | FortiGate, Azure. |
| Solution |
Consider a scenario in which there is an IPsec tunnel between an on-prem FortiGate and FortiGate VM in Azure behind the ELB (External Load Balancer).
With IPsec, the UDP packets on ports 500/4500 are usually allowed/forwarded by the load-balancing rules in the Azure Load balancer. If the IPsec does not come up in this setup, changing the transport to TCP in the phase1 settings of the IPSec, reveals a TCP rst packet coming from the load balancer. Since the sniffer on the FortiGate VM does not capture anything, it can be concluded that the Load Balancer is sending the reset packet, since the packet never arrives at the FortiGate VM.
In general, when there is no NSG (Network Security Group) for a subnet, nothing is blocked. However, as per Microsoft, 'If there is no Network Security Group (NSG) applied to the subnet, inbound traffic might not be properly received by the backend virtual machine'.
As a result, as soon as an NSG is added to the backend subnet, the tunnels come up.
Related document: |
