Hey Guys,
We just deployed a VM500 in Azure. I have a PA-440 in my office and a separate ISP with a static IP. I’ve gone ahead and set up a regular IPSec S2S tunnel from this PA-440 to my VM500 in Azure. What I’m seeing in the sniffer on both my PA-440 and the Azure VM500 is that outbound traffic is taking the proper rulesets for the VPN to each other’s respective peer networks just fine, but neither is receiving anything coming back. I have spent about 12 hours reviewing the configs and I do not see anything amiss on either side. At this point, I am looking at Azure as the issue and I’m wondering if there is anything we’re missing on the Azure end for this thing to actually pass the traffic.
We are BGP peered from the VM500 to the vWAN in Azure where the test machine resides. I am redistributing static routes into BGP on my VM500 so that the vWAN learns about the branch. The NSGs in Azure are all set to permit any any on all the NICs. The Untrust public IP set in Azure is deNATing properly to the untrust private IP set directly on the Untrust port in the VM500. I can access the VM500 over the open internet via the Untrust public IP.
Has anyone run into that and if so, what was the fix? For what it’s worth, I have an ASA in Azure as well that needs to receive other branch S2S tunnels, and that has the exact same problem, which is furthering my theory that it’s something not right in Azure.
Edit: Windows firewall is off on both sides. Ping is allowed everywhere. Have reloaded both PA-440 and VM500. Has ran all the restart commands for the VPNs on both sides. No change.