Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
323 questions
certain tcp traffic not showing at the Azure palo alto firewall
Vanessa Xu
0
Reputation points
Certain TCP traffic not showing at the Azure Palo firewalls. There are tcp traffic from on-prem to Azure test subnet vm.
The connection path is as below: on-prem user laptop -> onprem palo fw -> express route ->Azure Palo fw -> test vm. There is no NSG on any of the interfaces at Azure side. The RDP traffic from the on-prem user laptop can reach the test vm no problem (tcp 3389). The smb (i.e. TCP 139) traffic from the on-prem user laptop can only shown at the on-prem fw log, showing it was allowed and went out the same path to the express route, but timeout status.
The smb traffic is not showing at the Azure palo fw. ( why the smb traffic disappeared after existing the on-prem fw?) The only difference is the on-prem laptop (prd domain) and the azure vm (test domain) belong to different AD domain controllers, with the same domain name.
No drop packets on either palo fw.
{count} votes
-
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee2024-02-28T09:27:01.76+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
If my understanding is correct, you are routing all traffic from Azure ExpressRoute to a 3rd party NVA in Azure (Palo Alto).
- There are no port restrictions in Azure ExpressRoute
- The fact that RDP works but SMB (139) doesn't indicates there could be some firewall rules blocking at the NVA
- As next steps, I would suggest you to bypass the NVA and test the same.
- You can fine tune to the UDRs so that the traffic from a particular OnPrem IP bypasses the NVA and directly reaches it's target
- Did you collect packet captures at the NVA ? If not, please do so
- Were you able to see the SMB packets here?
- Can you confirm that SMB traffic to this testVM from a different VM in the same VNET works?
Cheers,
Kapil
-
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee
2024-03-01T09:50:11.8866667+00:00 Reaching out to check if there are any questions on this.
Please let us know if we can be of any further assistance here.
Thanks,
Kapil
-
Vanessa Xu 0 Reputation points
2024-03-22T16:56:32.1966667+00:00 since the SMB is the Azure file sync service, not sure if this is the reason. set up a VM in the subnet, the RDP session to the vm shows in the Azure firewall. But the file sync service (not a VM) can't be seen on the Azure firewall.
-
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee
2024-03-22T17:16:51.22+00:00 Can you share the document you followed to set up Azure file sync service?
Please note only services that are deployed in a VNET can be routed via an NVA (such as Azure Firewall)
Cheers,
Kapil
-
Vanessa Xu 0 Reputation points
2024-03-22T17:51:53.4533333+00:00 it is in a VNET subnet. we have a similar issue now with sql data storage service in a subnet in the dev vnet. i will get more info.
-
Vanessa Xu 0 Reputation points
2024-03-22T20:16:13.57+00:00 @KapilAnanth-MSFT do you mean VNet-local endpoint?
-
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee
2024-03-23T07:17:01.2033333+00:00 - Is the Azure file sync service a PaaS Service?
- or Is it deployed inside a VM in the VNET
VMs by default are part of VNET.
However, PaaS Services by default are not. You have the ability to integrate them into a VNET's subnet using VNET Delegation.
If you have integrated your PaaS Service to VNET, only then can you influence the routing.
So,
- Please share the architecture diagram of your set up.
- And the docs you used for configuring Azure file sync service
Thanks,
Kapil
-
Vanessa Xu 0 Reputation points
2024-03-27T14:37:08.6333333+00:00 forced traffic to the test vm via onprem to Azure VPN, the traffic shows on the Azure Palo firewall log. Seems the the express route blocks certain traffic. Where to check this?
-
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee
2024-03-28T05:49:28.2633333+00:00 We cannot collect a packet capture on an ExpressRoute Circuit/Gateway.
Also, I see the issue is happening only with certain ports.
To troubleshoot further, we will need a specialized 1:1 session, where a support engineer can have a screen share session to pinpoint the issue.
If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support
Cheers,
Kapil
-
Vanessa Xu 0 Reputation points
2024-03-28T13:37:05.82+00:00 Thank you, Kapil!
we have a ticket open with Azure and will have a session this afternoon.
-
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee
2024-03-29T11:46:57.66+00:00 You are welcome.
Sure, you can update this thread once you have the root cause found.
Cheers,
Kapil
Sign in to comment