I'm trying to troubleshoot a weird issue between our Azure network and one of our servers in a DMZ behind a Palo Alto firewall. The IPsec tunnel is already routing traffic for a bunch of /23 networks in Azure and it is working with no issues, Traffic to and from the /23 to the DMZ is working fine
Today we added a new Azure /23 to the Proxy ID list in the Palo Alto side of the tunnel but the DMZ is unreachable. We don't see any traffic in the Palo Alto logs coming in from Azure to the DMZ. After a while we realized that starting a ping from the DMZ to the Azure host "opens up" traffic and everything seems to work as expected
Reading online it seems this is a known behavior when there is a mismatch on the IPsec keep alive SA configuration. However, the existing /23 networks are working just fine, we only have this issue on the new subnet added. Also, there is no traffic on the Palo Alto logs that tells me the Azure VM is even hitting the firewall so I can look into updating rules,
Is there anything obvious that I am missing?
No comments:
Post a Comment