Azure SMA 500v - tunnel mode (NAT vs Route)
Hi,
I have an SMA 500v in azure and I cannot get "route" mode working for users.
As soon as I set this to route mode the users can only get to the SMA X0 IP and nothing else.
I have a very simple setup for testing and the policies/routing for the groups do not change between setting this to either nat or route mode so it is not that.
To keep it simple I put the clients in the same subnet as the X0 on the SMA
I have an NSv in between the SMA subnet and the NSv subnet, with servers behind the NSv
Traffic flow is: SMA X0 subnet -> X1 subnet NSv X0 subnet -> Servers
Routing is fine as everything works when I change to NAT mode and the remote clients on the SMA are nat'd to the SMA X0 IP.
Azure route table objects are added to correct interfaces to move traffic between azure subnets through the NSv, as noted the SMA X0 IP can get to everywhere (even a remote subnet on a VPN over a site to site on the NSv), all NSGs allow all traffic between vnet to vnet. When the users are nat'd to the SMA X0 IP it all works fine, when the users are given an ip in the same subnet as the SMA X0 IP and route mode is on, they can only get to the SMA X0 IP and I cannot see the traffic hit the NSv X1 IP.
It looks like the SMA isn't routing the client traffic out when in Route mode, as I dont see it on the NSV packet captures.
SMA on latest Firmware Version10.2.0.3-24sv
Cheers
Comments
Did you sort this?
I have a SMA in azure running in NAT Mode and while it is working fine. We have a legacy line of business app that needs to route to clients connected to the VPN.
When I turn onto route mode. I can only ping the SMA IP. I’ve done some tracerts.
From NetExtender connected workstation. A tracert to anywhere times out but the first hop is 192.0.2.1.
From anywhere else on the network to a net extender connected client the last hop is the SMA IP Address.
From what I can see, something is happening with the outbound routes from the SMA.
All the routes on the SMA are correct as I can reach the IP on the SMA from everywhere in the network. But not anything connected to net extender.
I know that the routes are ok in azure as the tracert gets to the correct locations.
Thanks
Great another person with my issue :) .... we might be able to get this sorted so!
No I havent found the solution, as NAT mode does what I need I am not under too much pressure to get it sorted.
Sounds like you have the exact same issue. I have an NSv between the SMA vNet and the Azure servers vNet, I dont see the traffic hit the NSv interface when in route mode. Like you said, the traffic from the netextender subnet (which is in the same as the SMA X0) doesnt seem to get past the SMA X0 interface.
I have route tables associated with the SMA X0 vNet to send the traffic via the NSv, this routing is working as the SMA is routing through the NSv as per the Azure route table, so it looks like the Azure side is fine and its just the SMA not sending the Netextender traffic.
@Chris Would SonicWALL be able to lab this to confirm if it works or not. I can post a topology diagram to follow if needed.
Traffic flow is: Netextender (route mode) SMA X0 subnet -> X1 NSv X0 -> Servers
192.168.1.0/24 (SMA 192.168.1.4) (azure route table) -> 10.1.1.4 NSv 172.16.1.4 -> 172 16.1.0/24 (DG is X0)
All works in NAT mode, Netextender can get to servers, in route mode I do not see the netextender clients hit the NSv X1 interface but the SMA can ping all the servers.
@RedNet
Of course! Could you start by opening a support case so that our we can troubleshoot and I can follow up with them?
Hi @Paul_Clutton , I have just been deploying another 500v in Azure and had a chance to play around with this and have got it working if you havent figured it out already?
There is one drawback in something being quite a manual task to be done. I am looking still for options on how to make this part easier.
Let me know how you got on and I can let you know my steps if you are still trying.
Just to note the issue was not necessarily with the SMA and is more around the way the Azure Network stack operates, though the SMA could make this easier if it automated a few Azure tasks which need to be done.
Good afternoon, I have been wrestling with this same issue for awhile now. I wonder if you could share how you where able to configure this or point me in the correct direction. Any help would greatly be appreciated.
Thank you in advance
John
I am not sure what your topology is, but all you need are route tables associated with the correct subnets (both the VM subnets and the SMA), Then the missing piece is enabling "IP Forwarding" on the SMA NIC in the azure portal.
I found that if you have the netextender pool of IP's in the same subnet as the SMA NIC then you need to add each IP in the netextender pool as a secondary IP on the SMA NIC (and still do the above first part). - This is what I had done to get it working, but I have heard since that if the netextender pool is a different subnet then it will work without having to add the IP's as secondary's and you only need the routes and IP forwarding enabled, I havent had another deployment to try this on.