Azure Virtual Network Routing On Sonicwall

erikhumphrey6450 · 2015-09-25T21:00:58.000Z

The problem I can’t figure out: An Azure virtual network cannot communicate with another Azure virtual network through our Sonicwall TZ-215.

The deets:
Both have full connectivity to/from any host on our on-prem network (LAN zone)
VPN Tunnel- both are connected via VPN tunnels
Both are in the VPN zone
Both have Address Objects defined for each network in the Sonicwall
Both have two-way “allow any any” firewall rules for VPN<–>VPN connections
Both have static routing set for each other

Finally, and this might show it’s not the Sonicwall at all, if I ping from a host on either of the Azure VNs to a LAN host, I can see the packets coming in on the Sonicwall packet monitor. If I try to ping an IP in the opposite Azure VN, I don’t see any packets… as if the Azure gateway is not forwarding them.

So, anyone know, is this an Azure problem or a Sonicwall problem?

DoctorDNS · 2015-09-26T13:52:07.000Z

Sounds like the Sonic Wall is not setup correctly.

Have you called Dell support?

@joan-sonicwall

erikhumphrey6450 · 2015-09-28T13:58:40.000Z

I thought I knew my Sonicwall well enough that it’s set up correctly… but yes, I’ll try Sonicwall support.

121183 · 2015-09-28T16:58:19.000Z

I’d say your Sonicewall isn’t setup to allow icmp between VPN tunnels.

erikhumphrey6450 · 2015-09-29T20:36:10.000Z

sonicwall_setup.PNG800×66 16.9 KB

The above is my vpn to vpn setup the two circled cannot communicate. ICMP will go through if I have them set to allow any any, right?

Still waiting for Sonicwall’s response.

erikhumphrey6450 · 2015-10-01T22:26:27.000Z

So it seems this could be an Azure thing. I was on a screenshare with Sonicwall support and they couldn’t get it to work either. I confirmed with him that packets were not reaching the Sonicwall if we pinged from Azure network 1 to Azure network 2. We could see the packets hitting if we pinged from either Azure network to a LAN host.

So my next theory is it’s something with the Azure gateway. I can’t for the life of me find anywhere in the Azure portal to set static routes… though maybe there’s a way to do it in azure powershell.

erikhumphrey6450 · 2015-10-05T18:44:36.000Z

For whatever reason, I assumed the default gateway for our Azure Virtual Networks would be the VPN tunnel to our premise. Not sure why I made that assumption!

At any rate, it seems the VN gets a route to our premise network through the tunnel, but has no way to know about any other networks I’d like it reach. Quick research tells me to either do VN to VN tunnel, or use a virtual appliance with routes added. Both need Powershell kung fu, so I’ll have to back-burner this for now. I have to stop letting myself being lulled into a false sense that Microsoft is supposed to make things easier to accomplish.