Problem with Azure-VyOS tunnel

Ali · October 27, 2020, 6:31am

Hello everyone, I setup a VPN (IPsec) tunnel between Azure and VyOS, everything working fine but I don’t have ping of some Azure VM’s ranges!
for example I can ping from 10.0.48.0 everything but I cant do same from 10.0.5.0 !
do I need to add something in BGP?

admin@FW:~$ show ip bgp neighbors 10.0.0.254 advertised-routes
BGP table version is 9, local router ID is x.x.x.x, vrf id 0
Default local pref 100, local AS 65537
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop’s vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.0.0.0/20 10.0.0.254 0 65512 i
*> 10.0.16.0/20 10.0.0.254 0 65512 i
*> 10.0.32.0/20 10.0.0.254 0 65512 i
*> 10.0.48.0/20 10.0.0.254 0 65512 i

Viacheslav · October 27, 2020, 8:15am

Try to check if echo requests are coming to the virtual machine?
If echo responses come out from vm?
Also, check please Azure routing tables. Maybe some wrong routing.

Ali · October 27, 2020, 8:29am

Thanks @Viacheslav, I checked routing table, it was fine !
how can I check echo requests ?

also, can I add 10.0.5.0 to the bgp neighbors advertised-routes?

Viacheslav · October 27, 2020, 8:58am

10.0.5.0 included in more big prefix 10.0.0.0/20

Do you check routing tables on Azure portal? Check on the Azure portal network interface “Ip Forwarding” option “Enabled” and in/out Network security groups.

Ali · October 27, 2020, 9:19am

Thanks @Viacheslav, I checked it and enabled IP forwarding (it was disabled on fine VM too) for it but I don’t have anything on network security group and it’s none !

I also do something else:
when I pinging 10.237.0.201 from VM (inside azure) and monitor 10.0.5.6(VM IP) from VyOS I got this:

admin@FW0:~$ monitor traffic interface eth0 filter “host 10.0.5.6”
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:47:52.466629 IP 10.0.5.6 > 10.237.0.201: ICMP echo request, id 1, seq 210, length 40
19:47:52.466795 IP 10.237.0.201 > 10.0.5.6: ICMP echo reply, id 1, seq 210, length 40
19:47:57.483748 IP 10.0.5.6 > 10.237.0.201: ICMP echo request, id 1, seq 211, length 40
19:47:57.483935 IP 10.237.0.201 > 10.0.5.6: ICMP echo reply, id 1, seq 211, length 40
19:48:02.475238 IP 10.0.5.6 > 10.237.0.201: ICMP echo request, id 1, seq 212, length 40

Ali · October 27, 2020, 10:32pm

Hi @Viacheslav,
I checked everything inside Azure and now in/out in enabled in NSG, I have ping reply’s on the eth0 interface, but I won’t see them on the vti1 interface for the VPN. Where for the host 10.0.5.4, no reply’s get back through the vti1 interface.

That’s the main crux of the issue - traffic can hit the eth0 interface, but it won’t come back out the vti1 interface. This is what leads me to believe there is either some routing rule or filter which is stopped the traffic going back over the vti1 VPN interface.

Regards

Viacheslav · October 28, 2020, 12:00pm

Do you use VyOS on Azure from the marketplace?

Ali · October 28, 2020, 11:40pm

No I have VyOS on my VCenter and we have a VPN tunnel between them.