Site 2 Site VPN with Azure

Mackoy · ‎10-06-2022

Please help,
I can access On-Prem from Azure but I cannot access Azure from On-Prem from firewall level and LAN behind Firewall.

Azure
172.16.0.0/21 - Address space
172.16.1.0/24 - Subnet
172.16.0.0/24 - GW Subnet

NSG in Azure
ICMP and RDP are Any Any Any Allow

VM in Azure
All firewalls are disabled

On-Prem / Fortigate 60E v6.2.3 build1066 (GA)
PPPoE - WAN
192.168.1.0/24 - LAN

Thank you in advance

xshkurti · ‎10-06-2022

Hi

Please check mtu traffic size from On-prem to Azure.

You can try to lower TCP-MSS on policy that allows traffic to go to Azure

Mackoy · ‎10-06-2022

Hi

Here is the result of my firewall MTU

the TCP-MSS on policy, what value should I input?
Thanks

Mackoy · ‎10-06-2022

Additional info:

IPsec Monitor IPsec Monitor IPv4 Policy IPv4 Policy Ping from Firewall Ping from Firewall Tracert from LAN (On-Prem) Tracert from LAN (On-Prem)

baldchiapet75 · ‎10-06-2022

What do your route-tables look like in both Azure and on the FTG?

Mackoy · ‎10-06-2022

Here:

Fortinet routing table. Fortinet routing table.

baldchiapet75 · ‎10-06-2022

Please give us the output from the below command.

FW # get router info routing-table database

Mackoy · ‎10-06-2022

Here:

baldchiapet75 · ‎10-06-2022

Everything looks good on the Fortigate. If you can take a screen shot of the route-table(s) on the Azure side that would work. It could be your not propagating the routes to the vNET from the VNG. By default, the VNG will route RFC1918 back down the S-2-S tunnel so if there is no route for the destination subnet in the VNG route-table it will not reach any host that resides there.

Mackoy · ‎10-06-2022

Thank you for confirming the setup from my Fortigate.

Here is the result of the query.

Site 2 Site VPN with Azure

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website