cancel
Showing results for 
Search instead for 
Did you mean: 

Azure - PCS SSL VPN setup - VPN Client has no communication with VMs on the same private subnet

ipvpn
New Contributor

Azure - PCS SSL VPN setup - VPN Client has no communication with VMs on the same private subnet

Hi I'm not sure whats going on but I suspect there may be something to do with Azure's way of processing ARP which is causing me problems. I am trying to get communication between dial-in SSL VPN (Pulse secure VPN client) client into azure. 


Problem:
No communication between VPN client network and VMs in Azure within the same subnet


About environment

-Azure
-VM is in subnet1

-PCS internal is in subnet1

-PCS external has static public IP and in subnet2

-PCS VPN policy allows all traffic in subnet1, and split tunneling is enabled

-PCS VPN subnet to client is in the same subnet as Subnet1 (tried using a different subnet range and no difference)
-I can access PCS from VM and configure via ssh / https


I'm confident I've configured the policies for this to work.

Can:

  1. Ping from the PCS server on subnet1 to the VM private IP address and vice versa.
  2. Ping the PCS server from the VPN client's NIC and vice versa (Note: drops every first icmp request, sends a second and gets a response)


    Cannot:

    1. Get a correct ARP response in the VPN client's NIC - ARP request presumably delivered by Azure and it does not give the correct MAC address to the desired host.
    2. Because of 1., there is no ICMP traffic directed to the destined VM, and no Remote Desktop connection.


      The goal: get RDP access to VM in Azure using Pulse VPN client

      Any advise or suggestions would be appreciated.

       

       

       

       

Tags (1)
2 REPLIES 2
r@yElr3y
Moderator

Re: Azure - PCS SSL VPN setup - VPN Client has no communication with VMs on the same private subnet

@ipvpn I believe what you're referring is expected to happen in cloud as the underlying network infra. doesn't support proxy ARP which means even if you assign VPN client IPs from the same subnet as your VPN's internal port, traffic will not routed back to those client as they're not launched as a instance i.e., not sourced by any real instance.

 

So, which is exactly why you can reach your VMs from PCS internal port and vice versa as they're the real instances created. Hence, to make this setup work, you have to enable the source NAT feature on the PCS (System >> Network >> VPN tunneling >> Source NAT), which enables the VPN server to NAT all outgoing traffic with its own internal port IP address and you'll receive a response back. Smiley Happy

 

It's ok to use source NAT option for a while especially when you have less - moderate users. However, it is recommended to have a NAT gateway deployed in subnet1 which would take care of the source NAT part thereby improving the performance. Having this approach would also require us to disable source IP check for the cloud instance (not sure if Azure has any such thing, but AWS does), so that VPN server can send traffic from different source IP addresses without getting dropped by the VPC.

PCS Expert
Pulse Connect Secure Certified Expert
ipvpn
New Contributor

Re: Azure - PCS SSL VPN setup - VPN Client has no communication with VMs on the same private subnet

Thank you for the advice and rundown on cloud network infra.


I suspect there is an underlying issue. I had used a VHDX appliance image with a very basic base config that only had a internal IP address, and admin password then it was shifted into azure. This was because we have existing infra in the azure tenant, and the azure PCS appliance doesn't have the ability to integrate into an existing vnet - it must create its own one. We didn't want the additonal networking / administration overhead of another resouce group/vnet ect.

The problem is there there is no option System >> Network >> VPN tunneling >> Source NAT. There is only the IP address filter and VPN Tunnel Server IP address. I presume the option is currently hidden? Reviewing the URL (and only upon clicking VPN tunneling again), it mentions SNAT

https://172.16.xx.xx/dana-admin/network/nc_ip_filter.cgi?snat_on_cloud=0&cmbClusterSelector=localhost2&snatdisplay=0&base_ip=10.200.200.200&name=

Changing snat_on_cloud=0, snatdisplay=0 to snat_on_cloud=1, snatdisplay=1 does not make a difference.


I have looked into the administrator guide for PCS and it doesn't mention Source NAT anywhere, I do notice it is mentioned in the azure guide.  Can we enable the option to choose SNAT?

I'm running 9.1R13 (build 15339)