Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mackoy
New Contributor

Site 2 Site VPN with Azure

Please help,
I can access On-Prem from Azure but I cannot access Azure from On-Prem from firewall level and LAN behind Firewall.

Azure
172.16.0.0/21 - Address space
172.16.1.0/24 - Subnet
172.16.0.0/24 - GW Subnet

NSG in Azure
ICMP and RDP are Any Any Any Allow

VM in Azure
All firewalls are disabled

 

On-Prem / Fortigate 60E v6.2.3 build1066 (GA)
PPPoE - WAN
192.168.1.0/24 - LAN

Thank you in advance

9 REPLIES 9
xshkurti
Staff
Staff

Hi

Please check mtu traffic size from On-prem to Azure.

You can try to lower TCP-MSS on policy that allows traffic to go to Azure

Mackoy

Hi 

Here is the result of my firewall MTU

Mackoy_0-1665071722671.png

the TCP-MSS on policy, what value should I input?
Thanks


Mackoy
New Contributor

Additional info:

IPsec MonitorIPsec MonitorIPv4 PolicyIPv4 PolicyPing from FirewallPing from FirewallTracert from LAN (On-Prem)Tracert from LAN (On-Prem)

baldchiapet75
New Contributor II

What do your route-tables look like in both Azure and on the FTG?

Mackoy

Here: 

Fortinet routing table.Fortinet routing table.

baldchiapet75
New Contributor II

Please give us the output from the below command.

 

FW # get router info routing-table database

Mackoy

Here:

Mackoy_0-1665087530025.png

 

baldchiapet75
New Contributor II

Everything looks good on the Fortigate. If you can take a screen shot of the route-table(s) on the Azure side that would work. It could be your not propagating the routes to the vNET from the VNG. By default, the VNG will route RFC1918 back down the S-2-S tunnel so if there is no route for the destination subnet in the VNG route-table it will not reach any host that resides there. 

Mackoy

Thank you for confirming the setup from my Fortigate.  

Here is the result of the query.

Mackoy_0-1665090981454.png

 



Labels
Top Kudoed Authors