question

BenLevy-4415 avatar image
0 Votes"
BenLevy-4415 asked BenLevy-4415 answered

Azure P2S RDP over VPN

I have followed and set up the MS documentation for creating a P2S VPN. All is well except for I can not RDP to the VM.

I suspect this has something to do with the NSG and/or subnet.

I can see the internal IP's and VM names with PS > Get-AzNetworkInterface

TestVM: 10.0.1.4,Dynamic
database: 10.0.0.4,Dynamic
web1: 10.0.0.5,Dynamic

ipconfig /all gives me this:

PPP adapter RemoteVNet:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : RemoteVNet
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.5.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled

NOTE: the IP is in the expected range.

route PRINT gives this:

===========================================================================
Interface List
21...2c 4d 54 55 48 9d ......Realtek PCIe GBE Family Controller
38...........................RemoteVNet
7...00 ff 24 9d d2 74 ......TAP-Windows Adapter V9
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table


Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.73 25
10.1.0.0 255.255.0.0 On-link 192.168.5.2 43
10.1.255.255 255.255.255.255 On-link 192.168.5.2 281
20.98.103.84 255.255.255.255 192.168.1.254 192.168.1.73 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.1.0 255.255.255.0 On-link 192.168.1.73 281
192.168.1.73 255.255.255.255 On-link 192.168.1.73 281
192.168.1.255 255.255.255.255 On-link 192.168.1.73 281
192.168.5.0 255.255.255.0 On-link 192.168.5.2 43
192.168.5.2 255.255.255.255 On-link 192.168.5.2 281
192.168.5.255 255.255.255.255 On-link 192.168.5.2 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.1.73 281
224.0.0.0 240.0.0.0 On-link 192.168.5.2 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.1.73 281
255.255.255.255 255.255.255.255 On-link 192.168.5.2 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table


Active Routes:
If Metric Network Destination Gateway
21 281 ::/0 fe80::7add:12ff:feef:4d28
1 331 ::1/128 On-link
21 41 2001:569:fd0c:3500::/56 fe80::7add:12ff:feef:4d28
21 281 2001:569:fd0c:3500::/64 On-link
21 281 2001:569:fd0c:3500:717e:8e55:c07a:f29/128
On-link
21 281 2001:569:fd0c:3500:c125:a97f:b341:15d7/128
On-link
21 281 fe80::/64 On-link
21 281 fe80::717e:8e55:c07a:f29/128
On-link
1 331 ff00::/8 On-link
21 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None



However, I can not RDP to any on my VM's.

What should I look at.

All the VM's were created before the VPN stuff.

remote-desktop-servicesazure-vpn-gateway
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BenLevy-4415 What network are you you trying to reach? Is it the 10.0.0.0/16 network? The route table only shows routes for 10.1.0.0/16 network.

0 Votes 0 ·
SaiKishor-MSFT avatar image
0 Votes"
SaiKishor-MSFT answered LeilaKong-MSFT commented

The issue has been resolved at the moment. The issue at hand was that the Vnet associated to the P2S VPN is different and is on 10.1/16 network. The suggestion was to either move the unrecheable VMs to this vnet connected to P2S VPN or associate a new P2S VPN to the other vnet. Thank you!

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your update and effort!

0 Votes 0 ·
AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @BenLevy-4415 ,

are you using Network Security Groups (NSGs) associated with the VMs or associated to the Virtual Network subnets?
If so you should add a Security Rule that allows Inbound RDP (TCP Port 3389) to the NSGs.

In most cases this will fix the issue.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenLevy-4415 avatar image
0 Votes"
BenLevy-4415 answered AndreasBaumgarten commented

@AndreasBaumgarten

Thanks. The RDP Inbound rule is there. The source IP should be valid for the IP obtained by the VPN connection (see above).

97991-image.png



image.png (28.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BenLevy-4415

What happens if you change Source to Any- Just for testing!


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

0 Votes 0 ·
BenLevy-4415 avatar image
0 Votes"
BenLevy-4415 answered

@AndreasBaumgarten

If I change the source to "Any", then I can connect using the Public IP (as expected), but not using the Private IP (1.0.0.4).

The connection to the Public IP would just go though my normal internet connection.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

@BenLevy-4415 ,

you could try the Connection troubleshoot option to verify the communication isn't blocked.

Here a how it looks like the connectivity is blocked:

98002-image.png


And here connectivity is allowed:

97985-image.png


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten


image.png (190.1 KiB)
image.png (180.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenLevy-4415 avatar image
0 Votes"
BenLevy-4415 answered

It is not working.

97974-image.png



image.png (55.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered SaiKishor-MSFT commented

Hi @BenLevy-4415 ,

I thought something like this ;-)

It's possible to have more NSGs in your environment:

  • One NSG associated with the VM

  • One NSG associated with the subnet the VM is connected to

Both NSG must allow Inbound TCP 3389.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Adding to Andreas's answer, please check your effective security group rules which shows the configured NSGs and rules that are associated at a NIC and subnet level for a virtual machine. Here are more details for the same.


0 Votes 0 ·
BenLevy-4415 avatar image
0 Votes"
BenLevy-4415 answered SaiKishor-MSFT commented

I don't think that is the issue, but I have no idea of where to go look.

This shows the effective rules. The one that is open is just so I can get to the vm for now.

98011-image.png



image.png (107.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BenLevy-4415Are you able to RDP now with the above rules? 300 & 310?

0 Votes 0 ·
BenLevy-4415 avatar image
0 Votes"
BenLevy-4415 answered SaiKishor-MSFT edited

I will pay someone to help me sort this out.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

@BenLevy-4415

I asked before but didn't get an answer:
What happens if you change Source to Any - Just for testing!


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.