Azure VPN Site-to-site connected but host not reachable Announcing the arrival of Valued...

Why use gamma over alpha radiation?

How can I protect witches in combat who wear limited clothing?

Mortgage adviser recommends a longer term than necessary combined with overpayments

Replacing HDD with SSD; what about non-APFS/APFS?

Single author papers against my advisor's will?

Stop battery usage [Ubuntu 18]

Can I add database to AWS RDS MySQL without creating new instance?

Can a non-EU citizen traveling with me come with me through the EU passport line?

Passing functions in C++

Why is "Captain Marvel" translated as male in Portugal?

Fishing simulator

Typsetting diagram chases (with TikZ?)

How do I automatically answer y in bash script?

What LEGO pieces have "real-world" functionality?

When is phishing education going too far?

New Order #5: where Fibonacci and Beatty meet at Wythoff

Stars Make Stars

Is there a documented rationale why the House Ways and Means chairman can demand tax info?

How do I keep my slimes from escaping their pens?

What was the last x86 CPU that did not have the x87 floating-point unit built in?

Is drag coefficient lowest at zero angle of attack?

How can players take actions together that are impossible otherwise?

What do you call the holes in a flute?

Stopping real property loss from eroding embankment



Azure VPN Site-to-site connected but host not reachable



Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Routing Help Needed - Site to Site VPNAzure VPN and On Site routingRouting in Azure between point-to-site and site-to-site networksCannot initiate connections from AzureVM to On Premises machines via Dynamic route site-to-site VPNAzure vpn is establish but causing delay or no traffic sometimesCannot connect back to local site over S2S connection via Azure Point-to-Site VPN clientAzure Site-to-Site VPN Tunnel Cisco ASA 8.2VPN gateway not produce trafficadding machines to VPN gateway inside AzureRoute traffic between two Azure site-to-site VPN locations





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















Using Azure gateway VPN I created a site to site connection with another vpn device (checkpoint) over which I have no control (customer endpoint).



I created the connection, using their public ip, declared the secret key and for local address space I discussed with the client what 'local' IP is desired from both sides. We agreed to an IP in the 172.0.0.0 range.



The gateway connection says succeeded/connected, and I see very little traffic in the data-out field (kb's not mb's).



However, when I try to ping the local address space (172.xxx.xxx.xxx) from my windows server 2016 VM I only get Request timed out-errors.



Do I need to create additional routes in windows? I tried adding route 



  route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 0.0.0.0


but the host is still unreachable.



Any Ideas? Thanks



EDIT: added some progress below



Thanks, I allowed the ping and I can now ping my VPN Gateway from my Azure VM (which is 10.XXX.XXX.4). I then added the route
"route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 10.XXX.XXX.4"



and via tracert I can see the 172 address is routed to/via de vpn gateway, but then it times out. Does this mean the issue now is on the on-premise side?



Edit 2



By now, when running the vpn diag. log I do see some traffic, but I still cannot reach the other side.



Connectivity State : Connected

Remote Tunnel Endpoint : XXX.XXX.XXX.XXX

Ingress Bytes (since last connected) : 360 B

Egress Bytes (since last connected) : 5272 B

Ingress Packets (since last connected) : 3 Packets

Egress Packets (since last connected) : 130 Packets

Ingress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets

Egress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets

Bandwidth : 0 b/s

Peak Bandwidth : 0 b/s

Connected Since : 9/18/2017 5:33:18 AM





vpn azure windows-server-2016 site-to-site-vpn checkpoint







share|improve this question
















bumped to the homepage by Community 11 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • Could you try to RDP your local PC, ICMP package may block by Firewall.

    – Shui shengbao
    Sep 14 '17 at 6:44











  • Or you could try to RDP Azure VM from your local PC?

    – Shui shengbao
    Sep 14 '17 at 6:47











  • Hi, could you do this successful?

    – Shui shengbao
    Sep 14 '17 at 7:09











  • I can RDP via my P2S VPN I have configured in parallel, the site-to-site connection is from my azure virtual network to a customer's network I have no control over. I can ping the vpn gateway now from within my azure VM. running 'tracert 172.xxxxx' from my Azure VM results in 1 line of 2ms, 6ms, 1ms, 10.XXX.XXX.4 (the gateway), and all other lines are timed out.

    – user2713516
    Sep 14 '17 at 8:14













  • According to your description, it seems your custom network disable ICMP(There may be an edge network firewall implementation). I suggest you could test other service(such as RDP or http).

    – Shui shengbao
    Sep 14 '17 at 8:17


















0















Using Azure gateway VPN I created a site to site connection with another vpn device (checkpoint) over which I have no control (customer endpoint).



I created the connection, using their public ip, declared the secret key and for local address space I discussed with the client what 'local' IP is desired from both sides. We agreed to an IP in the 172.0.0.0 range.



The gateway connection says succeeded/connected, and I see very little traffic in the data-out field (kb's not mb's).



However, when I try to ping the local address space (172.xxx.xxx.xxx) from my windows server 2016 VM I only get Request timed out-errors.



Do I need to create additional routes in windows? I tried adding route 



  route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 0.0.0.0


but the host is still unreachable.



Any Ideas? Thanks



EDIT: added some progress below



Thanks, I allowed the ping and I can now ping my VPN Gateway from my Azure VM (which is 10.XXX.XXX.4). I then added the route
"route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 10.XXX.XXX.4"



and via tracert I can see the 172 address is routed to/via de vpn gateway, but then it times out. Does this mean the issue now is on the on-premise side?



Edit 2



By now, when running the vpn diag. log I do see some traffic, but I still cannot reach the other side.



Connectivity State : Connected

Remote Tunnel Endpoint : XXX.XXX.XXX.XXX

Ingress Bytes (since last connected) : 360 B

Egress Bytes (since last connected) : 5272 B

Ingress Packets (since last connected) : 3 Packets

Egress Packets (since last connected) : 130 Packets

Ingress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets

Egress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets

Bandwidth : 0 b/s

Peak Bandwidth : 0 b/s

Connected Since : 9/18/2017 5:33:18 AM





vpn azure windows-server-2016 site-to-site-vpn checkpoint







share|improve this question
















bumped to the homepage by Community 11 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • Could you try to RDP your local PC, ICMP package may block by Firewall.

    – Shui shengbao
    Sep 14 '17 at 6:44











  • Or you could try to RDP Azure VM from your local PC?

    – Shui shengbao
    Sep 14 '17 at 6:47











  • Hi, could you do this successful?

    – Shui shengbao
    Sep 14 '17 at 7:09











  • I can RDP via my P2S VPN I have configured in parallel, the site-to-site connection is from my azure virtual network to a customer's network I have no control over. I can ping the vpn gateway now from within my azure VM. running 'tracert 172.xxxxx' from my Azure VM results in 1 line of 2ms, 6ms, 1ms, 10.XXX.XXX.4 (the gateway), and all other lines are timed out.

    – user2713516
    Sep 14 '17 at 8:14













  • According to your description, it seems your custom network disable ICMP(There may be an edge network firewall implementation). I suggest you could test other service(such as RDP or http).

    – Shui shengbao
    Sep 14 '17 at 8:17














0












0








0








Using Azure gateway VPN I created a site to site connection with another vpn device (checkpoint) over which I have no control (customer endpoint).



I created the connection, using their public ip, declared the secret key and for local address space I discussed with the client what 'local' IP is desired from both sides. We agreed to an IP in the 172.0.0.0 range.



The gateway connection says succeeded/connected, and I see very little traffic in the data-out field (kb's not mb's).



However, when I try to ping the local address space (172.xxx.xxx.xxx) from my windows server 2016 VM I only get Request timed out-errors.



Do I need to create additional routes in windows? I tried adding route 



  route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 0.0.0.0


but the host is still unreachable.



Any Ideas? Thanks



EDIT: added some progress below



Thanks, I allowed the ping and I can now ping my VPN Gateway from my Azure VM (which is 10.XXX.XXX.4). I then added the route
"route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 10.XXX.XXX.4"



and via tracert I can see the 172 address is routed to/via de vpn gateway, but then it times out. Does this mean the issue now is on the on-premise side?



Edit 2



By now, when running the vpn diag. log I do see some traffic, but I still cannot reach the other side.



Connectivity State : Connected

Remote Tunnel Endpoint : XXX.XXX.XXX.XXX

Ingress Bytes (since last connected) : 360 B

Egress Bytes (since last connected) : 5272 B

Ingress Packets (since last connected) : 3 Packets

Egress Packets (since last connected) : 130 Packets

Ingress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets

Egress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets

Bandwidth : 0 b/s

Peak Bandwidth : 0 b/s

Connected Since : 9/18/2017 5:33:18 AM





vpn azure windows-server-2016 site-to-site-vpn checkpoint







share|improve this question
















Using Azure gateway VPN I created a site to site connection with another vpn device (checkpoint) over which I have no control (customer endpoint).



I created the connection, using their public ip, declared the secret key and for local address space I discussed with the client what 'local' IP is desired from both sides. We agreed to an IP in the 172.0.0.0 range.



The gateway connection says succeeded/connected, and I see very little traffic in the data-out field (kb's not mb's).



However, when I try to ping the local address space (172.xxx.xxx.xxx) from my windows server 2016 VM I only get Request timed out-errors.



Do I need to create additional routes in windows? I tried adding route 



  route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 0.0.0.0


but the host is still unreachable.



Any Ideas? Thanks



EDIT: added some progress below



Thanks, I allowed the ping and I can now ping my VPN Gateway from my Azure VM (which is 10.XXX.XXX.4). I then added the route
"route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 10.XXX.XXX.4"



and via tracert I can see the 172 address is routed to/via de vpn gateway, but then it times out. Does this mean the issue now is on the on-premise side?



Edit 2



By now, when running the vpn diag. log I do see some traffic, but I still cannot reach the other side.



Connectivity State : Connected

Remote Tunnel Endpoint : XXX.XXX.XXX.XXX

Ingress Bytes (since last connected) : 360 B

Egress Bytes (since last connected) : 5272 B

Ingress Packets (since last connected) : 3 Packets

Egress Packets (since last connected) : 130 Packets

Ingress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets

Egress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets

Bandwidth : 0 b/s

Peak Bandwidth : 0 b/s

Connected Since : 9/18/2017 5:33:18 AM





vpn azure windows-server-2016 site-to-site-vpn checkpoint




vpn azure windows-server-2016 site-to-site-vpn checkpoint






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 18 '17 at 5:53







user2713516

















asked Sep 13 '17 at 13:54









user2713516user2713516

16219




16219





bumped to the homepage by Community 11 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community 11 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • Could you try to RDP your local PC, ICMP package may block by Firewall.

    – Shui shengbao
    Sep 14 '17 at 6:44











  • Or you could try to RDP Azure VM from your local PC?

    – Shui shengbao
    Sep 14 '17 at 6:47











  • Hi, could you do this successful?

    – Shui shengbao
    Sep 14 '17 at 7:09











  • I can RDP via my P2S VPN I have configured in parallel, the site-to-site connection is from my azure virtual network to a customer's network I have no control over. I can ping the vpn gateway now from within my azure VM. running 'tracert 172.xxxxx' from my Azure VM results in 1 line of 2ms, 6ms, 1ms, 10.XXX.XXX.4 (the gateway), and all other lines are timed out.

    – user2713516
    Sep 14 '17 at 8:14













  • According to your description, it seems your custom network disable ICMP(There may be an edge network firewall implementation). I suggest you could test other service(such as RDP or http).

    – Shui shengbao
    Sep 14 '17 at 8:17



















  • Could you try to RDP your local PC, ICMP package may block by Firewall.

    – Shui shengbao
    Sep 14 '17 at 6:44











  • Or you could try to RDP Azure VM from your local PC?

    – Shui shengbao
    Sep 14 '17 at 6:47











  • Hi, could you do this successful?

    – Shui shengbao
    Sep 14 '17 at 7:09











  • I can RDP via my P2S VPN I have configured in parallel, the site-to-site connection is from my azure virtual network to a customer's network I have no control over. I can ping the vpn gateway now from within my azure VM. running 'tracert 172.xxxxx' from my Azure VM results in 1 line of 2ms, 6ms, 1ms, 10.XXX.XXX.4 (the gateway), and all other lines are timed out.

    – user2713516
    Sep 14 '17 at 8:14













  • According to your description, it seems your custom network disable ICMP(There may be an edge network firewall implementation). I suggest you could test other service(such as RDP or http).

    – Shui shengbao
    Sep 14 '17 at 8:17

















Could you try to RDP your local PC, ICMP package may block by Firewall.

– Shui shengbao
Sep 14 '17 at 6:44





Could you try to RDP your local PC, ICMP package may block by Firewall.

– Shui shengbao
Sep 14 '17 at 6:44













Or you could try to RDP Azure VM from your local PC?

– Shui shengbao
Sep 14 '17 at 6:47





Or you could try to RDP Azure VM from your local PC?

– Shui shengbao
Sep 14 '17 at 6:47













Hi, could you do this successful?

– Shui shengbao
Sep 14 '17 at 7:09





Hi, could you do this successful?

– Shui shengbao
Sep 14 '17 at 7:09













I can RDP via my P2S VPN I have configured in parallel, the site-to-site connection is from my azure virtual network to a customer's network I have no control over. I can ping the vpn gateway now from within my azure VM. running 'tracert 172.xxxxx' from my Azure VM results in 1 line of 2ms, 6ms, 1ms, 10.XXX.XXX.4 (the gateway), and all other lines are timed out.

– user2713516
Sep 14 '17 at 8:14







I can RDP via my P2S VPN I have configured in parallel, the site-to-site connection is from my azure virtual network to a customer's network I have no control over. I can ping the vpn gateway now from within my azure VM. running 'tracert 172.xxxxx' from my Azure VM results in 1 line of 2ms, 6ms, 1ms, 10.XXX.XXX.4 (the gateway), and all other lines are timed out.

– user2713516
Sep 14 '17 at 8:14















According to your description, it seems your custom network disable ICMP(There may be an edge network firewall implementation). I suggest you could test other service(such as RDP or http).

– Shui shengbao
Sep 14 '17 at 8:17





According to your description, it seems your custom network disable ICMP(There may be an edge network firewall implementation). I suggest you could test other service(such as RDP or http).

– Shui shengbao
Sep 14 '17 at 8:17










3 Answers
3






active

oldest

votes


















0














First of all, check if Windows Firewall is not blocking ICMP.



Search for Windows Firewall, and click to open it.




  1. Click Advanced Settings on the left.

  2. From the left pane of the resulting window, click Inbound Rules.

  3. In the right pane, find the rules titled File and Printer Sharing (Echo Request - ICMPv4-In).

  4. Right-click each rule and choose Enable Rule.


Second, make sure you have the proper routing in place. The servers in your on-premises environment need to know how to reach the Azure environment. If your gateway can ping the Azure servers and the other way around is also true, then it's all good except that the only device that know this route is your GW. Make sure the servers in your network know how to reach the Azure network as well by adding a route to the Azure network through the GW. Example:



Next hop is also on-prem VPN:



VMs -> Default Windows Gw/Vpn Device -> Azure VPN Gw

route -p add <azure_network> mask <azure_net_mask> gw <azure_vpn_gw_ip>


As your VMs next hop is usually the Default Windows Gw, this will make sure that the next hop to reach azure_network is the azure_vpn_gw_ip. Make sure the route tables (local gateway configuration in Azure) has your on-premises network segment as well.






share|improve this answer


























  • Thanks, I allowed the ping and I can now ping my VPN Gateway from my Azure VM (which is 10.XXX.XXX.4). I then added the route "route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 10.XXX.XXX.4" and via tracert I can see the 172 address is routed to/via de vpn gateway, but then it times out. Does this mean the issue now is on the on-premise side?

    – user2713516
    Sep 14 '17 at 6:16



















0














According to your description, it seems your custom network disable ICMP. There may be an edge network firewall implementation or Windows Firewall.



I suggest you could use test with other service (such as RDP or http). Also, you could use tcping to determine network connectivity.



For debug your issue, I suggest you could check your VPN gateway log, please refer to this link.



Update:



According to OP's VPN gateway log.



Connectivity State : Connected 

Remote Tunnel Endpoint : 

Ingress Bytes (since last connected) : 0 B 

Egress Bytes (Since last connected) : 107604 B 

Connected Since : 9/14/2017 6:35:28 AM


VPN tunnel did not configure correctly. You need check your VPN configure again.






share|improve this answer


























  • Hi, see my updated answer

    – user2713516
    Sep 18 '17 at 5:52











  • Currently, Ingres has litter packets. But when VPN is connected, by default, you don't add route table. It seems your VPN connection has some issue. But I am not sure what is the issue on your custom side or Azure side.

    – Shui shengbao
    Sep 18 '17 at 6:01











  • Thanks, ill contact the 'other side' and see what they can do with their configuration

    – user2713516
    Sep 18 '17 at 6:11











  • @user2713516 Hi, do you solve this?

    – Shui shengbao
    Sep 25 '17 at 6:45











  • Hi, not yet, I'm waiting on the other party to review their side of the tunnel

    – user2713516
    Sep 25 '17 at 13:14



















0














What kind of VPN did you provision? If you're not using Basic, BGP will automatically set up the needed routes for you.



If it's basic, then you will need to set up a route table in Azure yourself to direct traffic to the correct network.



Set up the route table like this:



enter image description here



You should have the GatewaySubnet and your local subnet in the table with the next hop being the Virtual network gateway.



If that doesn't work, use the IP flow verify option to ensure traffic can get through your security groups. By default RDP should be reachable even if ping is not, so try different ports.






share|improve this answer
























  • It's the basic tier, never knew something like that was needed...I'll have a look at it tomorrow, thanks

    – user2713516
    Sep 17 '17 at 5:45











  • I created the routing table, and added the route, but then noticed via the Effective routes-page that the route already existed...so apparently that was already configured properly.

    – user2713516
    Sep 18 '17 at 5:16












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f873467%2fazure-vpn-site-to-site-connected-but-host-not-reachable%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














First of all, check if Windows Firewall is not blocking ICMP.



Search for Windows Firewall, and click to open it.




  1. Click Advanced Settings on the left.

  2. From the left pane of the resulting window, click Inbound Rules.

  3. In the right pane, find the rules titled File and Printer Sharing (Echo Request - ICMPv4-In).

  4. Right-click each rule and choose Enable Rule.


Second, make sure you have the proper routing in place. The servers in your on-premises environment need to know how to reach the Azure environment. If your gateway can ping the Azure servers and the other way around is also true, then it's all good except that the only device that know this route is your GW. Make sure the servers in your network know how to reach the Azure network as well by adding a route to the Azure network through the GW. Example:



Next hop is also on-prem VPN:



VMs -> Default Windows Gw/Vpn Device -> Azure VPN Gw

route -p add <azure_network> mask <azure_net_mask> gw <azure_vpn_gw_ip>


As your VMs next hop is usually the Default Windows Gw, this will make sure that the next hop to reach azure_network is the azure_vpn_gw_ip. Make sure the route tables (local gateway configuration in Azure) has your on-premises network segment as well.






share|improve this answer


























  • Thanks, I allowed the ping and I can now ping my VPN Gateway from my Azure VM (which is 10.XXX.XXX.4). I then added the route "route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 10.XXX.XXX.4" and via tracert I can see the 172 address is routed to/via de vpn gateway, but then it times out. Does this mean the issue now is on the on-premise side?

    – user2713516
    Sep 14 '17 at 6:16
















0














First of all, check if Windows Firewall is not blocking ICMP.



Search for Windows Firewall, and click to open it.




  1. Click Advanced Settings on the left.

  2. From the left pane of the resulting window, click Inbound Rules.

  3. In the right pane, find the rules titled File and Printer Sharing (Echo Request - ICMPv4-In).

  4. Right-click each rule and choose Enable Rule.


Second, make sure you have the proper routing in place. The servers in your on-premises environment need to know how to reach the Azure environment. If your gateway can ping the Azure servers and the other way around is also true, then it's all good except that the only device that know this route is your GW. Make sure the servers in your network know how to reach the Azure network as well by adding a route to the Azure network through the GW. Example:



Next hop is also on-prem VPN:



VMs -> Default Windows Gw/Vpn Device -> Azure VPN Gw

route -p add <azure_network> mask <azure_net_mask> gw <azure_vpn_gw_ip>


As your VMs next hop is usually the Default Windows Gw, this will make sure that the next hop to reach azure_network is the azure_vpn_gw_ip. Make sure the route tables (local gateway configuration in Azure) has your on-premises network segment as well.






share|improve this answer


























  • Thanks, I allowed the ping and I can now ping my VPN Gateway from my Azure VM (which is 10.XXX.XXX.4). I then added the route "route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 10.XXX.XXX.4" and via tracert I can see the 172 address is routed to/via de vpn gateway, but then it times out. Does this mean the issue now is on the on-premise side?

    – user2713516
    Sep 14 '17 at 6:16














0












0








0







First of all, check if Windows Firewall is not blocking ICMP.



Search for Windows Firewall, and click to open it.




  1. Click Advanced Settings on the left.

  2. From the left pane of the resulting window, click Inbound Rules.

  3. In the right pane, find the rules titled File and Printer Sharing (Echo Request - ICMPv4-In).

  4. Right-click each rule and choose Enable Rule.


Second, make sure you have the proper routing in place. The servers in your on-premises environment need to know how to reach the Azure environment. If your gateway can ping the Azure servers and the other way around is also true, then it's all good except that the only device that know this route is your GW. Make sure the servers in your network know how to reach the Azure network as well by adding a route to the Azure network through the GW. Example:



Next hop is also on-prem VPN:



VMs -> Default Windows Gw/Vpn Device -> Azure VPN Gw

route -p add <azure_network> mask <azure_net_mask> gw <azure_vpn_gw_ip>


As your VMs next hop is usually the Default Windows Gw, this will make sure that the next hop to reach azure_network is the azure_vpn_gw_ip. Make sure the route tables (local gateway configuration in Azure) has your on-premises network segment as well.






share|improve this answer















First of all, check if Windows Firewall is not blocking ICMP.



Search for Windows Firewall, and click to open it.




  1. Click Advanced Settings on the left.

  2. From the left pane of the resulting window, click Inbound Rules.

  3. In the right pane, find the rules titled File and Printer Sharing (Echo Request - ICMPv4-In).

  4. Right-click each rule and choose Enable Rule.


Second, make sure you have the proper routing in place. The servers in your on-premises environment need to know how to reach the Azure environment. If your gateway can ping the Azure servers and the other way around is also true, then it's all good except that the only device that know this route is your GW. Make sure the servers in your network know how to reach the Azure network as well by adding a route to the Azure network through the GW. Example:



Next hop is also on-prem VPN:



VMs -> Default Windows Gw/Vpn Device -> Azure VPN Gw

route -p add <azure_network> mask <azure_net_mask> gw <azure_vpn_gw_ip>


As your VMs next hop is usually the Default Windows Gw, this will make sure that the next hop to reach azure_network is the azure_vpn_gw_ip. Make sure the route tables (local gateway configuration in Azure) has your on-premises network segment as well.







share|improve this answer














share|improve this answer



share|improve this answer








edited Sep 13 '17 at 23:23

























answered Sep 13 '17 at 23:12









Bruno FariaBruno Faria

3,4541616




3,4541616













  • Thanks, I allowed the ping and I can now ping my VPN Gateway from my Azure VM (which is 10.XXX.XXX.4). I then added the route "route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 10.XXX.XXX.4" and via tracert I can see the 172 address is routed to/via de vpn gateway, but then it times out. Does this mean the issue now is on the on-premise side?

    – user2713516
    Sep 14 '17 at 6:16



















  • Thanks, I allowed the ping and I can now ping my VPN Gateway from my Azure VM (which is 10.XXX.XXX.4). I then added the route "route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 10.XXX.XXX.4" and via tracert I can see the 172 address is routed to/via de vpn gateway, but then it times out. Does this mean the issue now is on the on-premise side?

    – user2713516
    Sep 14 '17 at 6:16

















Thanks, I allowed the ping and I can now ping my VPN Gateway from my Azure VM (which is 10.XXX.XXX.4). I then added the route "route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 10.XXX.XXX.4" and via tracert I can see the 172 address is routed to/via de vpn gateway, but then it times out. Does this mean the issue now is on the on-premise side?

– user2713516
Sep 14 '17 at 6:16





Thanks, I allowed the ping and I can now ping my VPN Gateway from my Azure VM (which is 10.XXX.XXX.4). I then added the route "route -p ADD 172.xxx.xxx.xxx MASK 255.255.255.255 10.XXX.XXX.4" and via tracert I can see the 172 address is routed to/via de vpn gateway, but then it times out. Does this mean the issue now is on the on-premise side?

– user2713516
Sep 14 '17 at 6:16













0














According to your description, it seems your custom network disable ICMP. There may be an edge network firewall implementation or Windows Firewall.



I suggest you could use test with other service (such as RDP or http). Also, you could use tcping to determine network connectivity.



For debug your issue, I suggest you could check your VPN gateway log, please refer to this link.



Update:



According to OP's VPN gateway log.



Connectivity State : Connected 

Remote Tunnel Endpoint : 

Ingress Bytes (since last connected) : 0 B 

Egress Bytes (Since last connected) : 107604 B 

Connected Since : 9/14/2017 6:35:28 AM


VPN tunnel did not configure correctly. You need check your VPN configure again.






share|improve this answer


























  • Hi, see my updated answer

    – user2713516
    Sep 18 '17 at 5:52











  • Currently, Ingres has litter packets. But when VPN is connected, by default, you don't add route table. It seems your VPN connection has some issue. But I am not sure what is the issue on your custom side or Azure side.

    – Shui shengbao
    Sep 18 '17 at 6:01











  • Thanks, ill contact the 'other side' and see what they can do with their configuration

    – user2713516
    Sep 18 '17 at 6:11











  • @user2713516 Hi, do you solve this?

    – Shui shengbao
    Sep 25 '17 at 6:45











  • Hi, not yet, I'm waiting on the other party to review their side of the tunnel

    – user2713516
    Sep 25 '17 at 13:14
















0














According to your description, it seems your custom network disable ICMP. There may be an edge network firewall implementation or Windows Firewall.



I suggest you could use test with other service (such as RDP or http). Also, you could use tcping to determine network connectivity.



For debug your issue, I suggest you could check your VPN gateway log, please refer to this link.



Update:



According to OP's VPN gateway log.



Connectivity State : Connected 

Remote Tunnel Endpoint : 

Ingress Bytes (since last connected) : 0 B 

Egress Bytes (Since last connected) : 107604 B 

Connected Since : 9/14/2017 6:35:28 AM


VPN tunnel did not configure correctly. You need check your VPN configure again.






share|improve this answer


























  • Hi, see my updated answer

    – user2713516
    Sep 18 '17 at 5:52











  • Currently, Ingres has litter packets. But when VPN is connected, by default, you don't add route table. It seems your VPN connection has some issue. But I am not sure what is the issue on your custom side or Azure side.

    – Shui shengbao
    Sep 18 '17 at 6:01











  • Thanks, ill contact the 'other side' and see what they can do with their configuration

    – user2713516
    Sep 18 '17 at 6:11











  • @user2713516 Hi, do you solve this?

    – Shui shengbao
    Sep 25 '17 at 6:45











  • Hi, not yet, I'm waiting on the other party to review their side of the tunnel

    – user2713516
    Sep 25 '17 at 13:14














0












0








0







According to your description, it seems your custom network disable ICMP. There may be an edge network firewall implementation or Windows Firewall.



I suggest you could use test with other service (such as RDP or http). Also, you could use tcping to determine network connectivity.



For debug your issue, I suggest you could check your VPN gateway log, please refer to this link.



Update:



According to OP's VPN gateway log.



Connectivity State : Connected 

Remote Tunnel Endpoint : 

Ingress Bytes (since last connected) : 0 B 

Egress Bytes (Since last connected) : 107604 B 

Connected Since : 9/14/2017 6:35:28 AM


VPN tunnel did not configure correctly. You need check your VPN configure again.






share|improve this answer















According to your description, it seems your custom network disable ICMP. There may be an edge network firewall implementation or Windows Firewall.



I suggest you could use test with other service (such as RDP or http). Also, you could use tcping to determine network connectivity.



For debug your issue, I suggest you could check your VPN gateway log, please refer to this link.



Update:



According to OP's VPN gateway log.



Connectivity State : Connected 

Remote Tunnel Endpoint : 

Ingress Bytes (since last connected) : 0 B 

Egress Bytes (Since last connected) : 107604 B 

Connected Since : 9/14/2017 6:35:28 AM


VPN tunnel did not configure correctly. You need check your VPN configure again.







share|improve this answer














share|improve this answer



share|improve this answer








edited Sep 15 '17 at 5:24

























answered Sep 14 '17 at 8:21









Shui shengbaoShui shengbao

3,0771518




3,0771518













  • Hi, see my updated answer

    – user2713516
    Sep 18 '17 at 5:52











  • Currently, Ingres has litter packets. But when VPN is connected, by default, you don't add route table. It seems your VPN connection has some issue. But I am not sure what is the issue on your custom side or Azure side.

    – Shui shengbao
    Sep 18 '17 at 6:01











  • Thanks, ill contact the 'other side' and see what they can do with their configuration

    – user2713516
    Sep 18 '17 at 6:11











  • @user2713516 Hi, do you solve this?

    – Shui shengbao
    Sep 25 '17 at 6:45











  • Hi, not yet, I'm waiting on the other party to review their side of the tunnel

    – user2713516
    Sep 25 '17 at 13:14



















  • Hi, see my updated answer

    – user2713516
    Sep 18 '17 at 5:52











  • Currently, Ingres has litter packets. But when VPN is connected, by default, you don't add route table. It seems your VPN connection has some issue. But I am not sure what is the issue on your custom side or Azure side.

    – Shui shengbao
    Sep 18 '17 at 6:01











  • Thanks, ill contact the 'other side' and see what they can do with their configuration

    – user2713516
    Sep 18 '17 at 6:11











  • @user2713516 Hi, do you solve this?

    – Shui shengbao
    Sep 25 '17 at 6:45











  • Hi, not yet, I'm waiting on the other party to review their side of the tunnel

    – user2713516
    Sep 25 '17 at 13:14

















Hi, see my updated answer

– user2713516
Sep 18 '17 at 5:52





Hi, see my updated answer

– user2713516
Sep 18 '17 at 5:52













Currently, Ingres has litter packets. But when VPN is connected, by default, you don't add route table. It seems your VPN connection has some issue. But I am not sure what is the issue on your custom side or Azure side.

– Shui shengbao
Sep 18 '17 at 6:01





Currently, Ingres has litter packets. But when VPN is connected, by default, you don't add route table. It seems your VPN connection has some issue. But I am not sure what is the issue on your custom side or Azure side.

– Shui shengbao
Sep 18 '17 at 6:01













Thanks, ill contact the 'other side' and see what they can do with their configuration

– user2713516
Sep 18 '17 at 6:11





Thanks, ill contact the 'other side' and see what they can do with their configuration

– user2713516
Sep 18 '17 at 6:11













@user2713516 Hi, do you solve this?

– Shui shengbao
Sep 25 '17 at 6:45





@user2713516 Hi, do you solve this?

– Shui shengbao
Sep 25 '17 at 6:45













Hi, not yet, I'm waiting on the other party to review their side of the tunnel

– user2713516
Sep 25 '17 at 13:14





Hi, not yet, I'm waiting on the other party to review their side of the tunnel

– user2713516
Sep 25 '17 at 13:14











0














What kind of VPN did you provision? If you're not using Basic, BGP will automatically set up the needed routes for you.



If it's basic, then you will need to set up a route table in Azure yourself to direct traffic to the correct network.



Set up the route table like this:



enter image description here



You should have the GatewaySubnet and your local subnet in the table with the next hop being the Virtual network gateway.



If that doesn't work, use the IP flow verify option to ensure traffic can get through your security groups. By default RDP should be reachable even if ping is not, so try different ports.






share|improve this answer
























  • It's the basic tier, never knew something like that was needed...I'll have a look at it tomorrow, thanks

    – user2713516
    Sep 17 '17 at 5:45











  • I created the routing table, and added the route, but then noticed via the Effective routes-page that the route already existed...so apparently that was already configured properly.

    – user2713516
    Sep 18 '17 at 5:16
















0














What kind of VPN did you provision? If you're not using Basic, BGP will automatically set up the needed routes for you.



If it's basic, then you will need to set up a route table in Azure yourself to direct traffic to the correct network.



Set up the route table like this:



enter image description here



You should have the GatewaySubnet and your local subnet in the table with the next hop being the Virtual network gateway.



If that doesn't work, use the IP flow verify option to ensure traffic can get through your security groups. By default RDP should be reachable even if ping is not, so try different ports.






share|improve this answer
























  • It's the basic tier, never knew something like that was needed...I'll have a look at it tomorrow, thanks

    – user2713516
    Sep 17 '17 at 5:45











  • I created the routing table, and added the route, but then noticed via the Effective routes-page that the route already existed...so apparently that was already configured properly.

    – user2713516
    Sep 18 '17 at 5:16














0












0








0







What kind of VPN did you provision? If you're not using Basic, BGP will automatically set up the needed routes for you.



If it's basic, then you will need to set up a route table in Azure yourself to direct traffic to the correct network.



Set up the route table like this:



enter image description here



You should have the GatewaySubnet and your local subnet in the table with the next hop being the Virtual network gateway.



If that doesn't work, use the IP flow verify option to ensure traffic can get through your security groups. By default RDP should be reachable even if ping is not, so try different ports.






share|improve this answer













What kind of VPN did you provision? If you're not using Basic, BGP will automatically set up the needed routes for you.



If it's basic, then you will need to set up a route table in Azure yourself to direct traffic to the correct network.



Set up the route table like this:



enter image description here



You should have the GatewaySubnet and your local subnet in the table with the next hop being the Virtual network gateway.



If that doesn't work, use the IP flow verify option to ensure traffic can get through your security groups. By default RDP should be reachable even if ping is not, so try different ports.







share|improve this answer












share|improve this answer



share|improve this answer










answered Sep 15 '17 at 22:20









Nathan CNathan C

13.8k33561




13.8k33561













  • It's the basic tier, never knew something like that was needed...I'll have a look at it tomorrow, thanks

    – user2713516
    Sep 17 '17 at 5:45











  • I created the routing table, and added the route, but then noticed via the Effective routes-page that the route already existed...so apparently that was already configured properly.

    – user2713516
    Sep 18 '17 at 5:16



















  • It's the basic tier, never knew something like that was needed...I'll have a look at it tomorrow, thanks

    – user2713516
    Sep 17 '17 at 5:45











  • I created the routing table, and added the route, but then noticed via the Effective routes-page that the route already existed...so apparently that was already configured properly.

    – user2713516
    Sep 18 '17 at 5:16

















It's the basic tier, never knew something like that was needed...I'll have a look at it tomorrow, thanks

– user2713516
Sep 17 '17 at 5:45





It's the basic tier, never knew something like that was needed...I'll have a look at it tomorrow, thanks

– user2713516
Sep 17 '17 at 5:45













I created the routing table, and added the route, but then noticed via the Effective routes-page that the route already existed...so apparently that was already configured properly.

– user2713516
Sep 18 '17 at 5:16





I created the routing table, and added the route, but then noticed via the Effective routes-page that the route already existed...so apparently that was already configured properly.

– user2713516
Sep 18 '17 at 5:16


















draft saved

draft discarded




















































Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f873467%2fazure-vpn-site-to-site-connected-but-host-not-reachable%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

As a Security Precaution, the user account has been locked The Next CEO of Stack OverflowMS...

Image
Could a dragon use its wings to swim? Is it a bad idea to plug the other end of ESD strap to wall ground? How can I prove that a state of equilibrium is unstable? Compilation of a 2d array and a 1d array pgfplots: How to draw a tangent graph below two others? How dangerous is XSS Gauss' Posthumous Publications? How to implement Comparable so it is consistent with identity-equality What does this strange code stamp on my passport mean? "Eavesdropping" vs "Listen in on" Which acid/base does a strong base/acid react when added to a buffer solution?
Read more

Список ссавців Італії Природоохоронні статуси | Список |...

Image
Списки ссавцівФауна ІталіїСписки:ІталіяСсавці Італії ІталіїМСОПХижіCetartiodactylaРукокриліКомахоїдніЗайцеподібніГризуниМСОП ссавці Італії ? Італія Біорегіон Біогеографічний екорегіон Голарктика Екозона Палеарктика Біом субтропічний ліс, альпійські луки, прісні води, континентальний шельф, континентальний схил Місцевість Континент Європа Країна Італія Територія Середземне море Фауна більшого обсягу За географією фауна Європи За систематикою ссавці, фауна Італії За екологією суходільна фауна, морська фауна За біогеографією теріофауна Європи Геологічний вік сучасність Особливості Видовий обсяг 121 Чужорідні види Genetta genetta, Ondatra zibethicus, Oryctolagus cuniculus, Rattus norvegicus, Rattus rattus, Sciurus carolinensis, Tamias sibiricus Список ссавців Італії містить перелік видів, записаних на території Італії (південна Європа) згідно з
Read more

Українські прізвища Зміст Історичні відомості |...

Image
АдигськіАбхазькіАзербайджанські [en] Албанські [en] АлтайськіАмериканські [en] Афроамериканські [en] АнглійськіАрабськіБашкирськіБілоруські [en] прізвищаБолгарські [en] БоснійськіБурятськіВельські [en] ВепськіВ'єтнамські [en] Вірменські [en] Гавайські [en] ГолландськіГрецькіГрузинськіДанськіЕстонськіЄврейські [en] Юдейські [en] Ефіопія/Еритрея [en] Зімбабвійські [en] Індіанські [en] ІндійськіІндонезійські [en] Ірландські [en] ІсландськіІспанські і португальськіІталійськіКалмицькі [en] КарельськіКазахськіКамбоджійські [en] Канадські [en] КіргизькіКитайські [en] КоміКорейськіЛатиськіЛитовські [en] Лаоські [en] МарійськіМакедонські [en] Малазійські [en] Монгольські [en] МордовськіНімецькіНорвезькіОсетинськіПерські [en] ПольськіПрибалтійськіПортугальськіРосійськіпрізвищаРумунськіСербськіСкандинавськіСлов'янськіСахаСловацькі [en] Сомалійські [en] ТайванськіТайські [en] Татарські [en] ТибетськіТувинськіТурецькі [en] УгорськіУдмуртськіУкраїнськіпрізвищаФіджійські [en] ФінськіФранцузьк
Read more