Azure Site to Site VPN
I've setup a site to site VPN from my M570 running 12.6.2 to Azure using the instructions here https://techsearch.watchguard.com/KB/?type=KBArticle&SFDCID=kA22A000000XZogSAG&lang=en_US and here https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal . I used the ROUTE based option with a BOVPN Virtual Interface. I see in the System Manager and in Azure that the tunnel is connected and on the Firebox System Manager I see that traffic is being Sent from my on premise network to the Azure network but nothing is being received back from Azure. The on premise network I defined is 10.30.0.0/16 and the Azure Virtual Network is 10.75.0.0/16, with the Virtual Network Gateway being 10.75.0.0/27. I created a Route Table with settings of a route of 10.30.0.0/16 with the next hop being the "Virtual network gateway" and subnet of 10.75.3.0/24, which represents the subnet that is intended for some servers. I've put a couple of hosts on that subnet and have tried using the default rule on one of allowing RDP in, but I can't RDP or ping that device. On others, I've done an AllowAll rule for both inbound and outbound, but still can't get any type of response. As a side note, if I go into the Overview tab of the Virtual Network Gateway, it is showing INGRESS and EGRESS traffic. What am I missing?
Comments
When I look at the "Effective Routes" on the route table I created, it shows one with a source of "User" that is active with the address prefix of 10.30.0.0/16 and Next Hop Type with the value of "Virtual Network Gateway" and another with a source of "Virtual network gateway" that is in an "INVALID" state. This one also has the address prefix of 10.30.0.0/16 and Virtual network gateway as the next hop, but also includes a Next Hop IP Address, which is the address that was assigned when setting up the virtual network gateway, and is what was used as the remote gateway IP in the Watchguard config.
Hi Richard,
Thanks for writing in today.
It sounds like the Azure side might not be routing the traffic to the right place. Make sure the IP forwarding setting is enabled in your VM's IP configuration:
See the screenshot here with that setting highlighted:
https://www.sanganakauthority.com/2021/03/transitive-routing-in-azure-vnet.html
-James Carson
WatchGuard Customer Support
Thanks, but I don't think that's it as it pertains to two virtual networks. I had it working the other day without any forwarding like that, then I added a storage account and that's when I blew it all up. I removed everything and started again and am running into this issue now.
I'd suggest opening a support case, possibly with WatchGuard, definetely with Azure.
-James Carson
WatchGuard Customer Support
So this issue was resolved, a reboot of the firebox and then upgrading from 12.6.2 to 12.7 fixed it. Ugh.