Openvpn unable to ping on-premises servers (port unrechable)

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
dave231
OpenVpn Newbie
Posts: 3
Joined: Tue Dec 06, 2022 3:48 pm

Openvpn unable to ping on-premises servers (port unrechable)

Post by dave231 » Tue Dec 06, 2022 3:51 pm

Hi, I have configured as an OpenVPN server (Debian) and other servers in Azure network 172.20.0.0/24 which is connected to on-premises network (10.1.0.0/24) via site-to-site VPN IPsec tunnel. Connection was established between Virtual Network Gateway on Azure and local Paloalto. Network connection from azure to local network works fine:
(172.20.0.0 <------> 10.1.0.0/24).
On the openvpn server's been configured point to site vpn for clients with address space 172.32.128.0/17. From client to Azure communication works well:
(172.32.128.0 <----->172.20.0.0/24)
but I have a problem in that, when I attempt to ping on-premises network (10.1.0.0/24).
Not connection between (172.32.128.0 <- ------/------- -> 10.1.0.0/24)

Pinging 10.1.0.8 (DNS on local site) from 172.32.128.14 (Client connected to OpenVpn)
I received (request timeout):
Packets captured on Vitual Network Gateway Azure:
172.20.0.5 10.1.0.8 ICMP 130 Destination unreachable (Port unreachable)
(Here rather than 172.32.128.14 address we can se 172.20.0.5 OpenVpn Azure Interface, despite masquerade is disabled and routing and packet forwarding is enabled.)
Tcpdump Openvpn:
IP 172.32.128.14 > 10.1.0.8: ICMP echo request, id 1, seq 970, length 40
OpenVpn server shows tcpdump requests from 172.32.128.14 to 10.1.0.8 but not reply.
What’s more on PaloAlto (Local Network) I can see requests from 172.32.128.14 and reply from 10.1.0.8 but packets not reach the network 172.32.128.0/17, it looks like packets were lost before enter to azure network.
Route table shows (OpenVpn):
default via 172.28.1.1 dev eth0
10.1.0.0/24 via 172.28.1.1 dev eth0
172.20.0.0/24 dev eth0 proto kernel scope link src 172.20.0.5
172.32.128.0/17 via 172.32.128.2 dev tun0
172.32.128.2 dev tun0 proto kernel scope link src 172.32.128.1
172.20.0.5 is OpenVpn interface on Azure
Azure route table:
Name Network Next Hop Type
ToAure 172.31.128.0/17 172.20.0.5
ToLocalNet 10.1.0.0/24 VirtualNetworkGateway
Any thoughts as to why I'm not getting to local net from client net? Thanks very much for your help!

User avatar
ordex
OpenVPN Inc.
Posts: 437
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Openvpn unable to ping on-premises servers (port unrechable)

Post by ordex » Tue Dec 06, 2022 9:14 pm

Do hosts in the on-premise network (10.1.0.0/24) have a route to 172.32.128.0/17? (it may also be the default route *if* the gateway is the entry point to Azure)

dave231
OpenVpn Newbie
Posts: 3
Joined: Tue Dec 06, 2022 3:48 pm

Re: Openvpn unable to ping on-premises servers (port unrechable)

Post by dave231 » Wed Dec 07, 2022 7:46 am

Yes, PaloAlto has route to network Azure and OpenVpn client network (172.32.128.0/17), PaloAlto transmits packets to tunnel interface on Azure (Virtual Network Gateway) then packets arrive to network 127.20.0.0/24 but cannot return to 172.32.128.0/17. (Route to 172.32.128.0/17 is through Azure network)

User avatar
ordex
OpenVPN Inc.
Posts: 437
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Openvpn unable to ping on-premises servers (port unrechable)

Post by ordex » Wed Dec 07, 2022 10:54 am

Sorry its a bit difficult to follow because the network topology is not 100% clear to me.
However, if you see packets arriving in Azure, maybe you can also figure out where they can be seen last before disappearing?
Do they enter the OpenVPN interface? (you can check that by dumping the traffic)
Or they don't even get there?

dave231
OpenVpn Newbie
Posts: 3
Joined: Tue Dec 06, 2022 3:48 pm

Re: Openvpn unable to ping on-premises servers (port unrechable)

Post by dave231 » Wed Dec 07, 2022 11:16 am

It seems that the vpn client addresses(172.32.128.0/17) are replaced with the ip address of the sever openvpn interface (172.20.0.5 - interface OpenVpn on Azure) despite masquerade is disabled and routing and packet forwarding is enabled

Post Reply