Forum Discussion
Microsoft Tunnel is connected, but no traffic goes trough
When creating a Microsoft Tunnel Server as a VM in Azure using the Deployment Guide (Download Microsoft Tunnel Deployment Guide v2 from Official Microsoft Download Center) my Android and iOS Devices are connecting correctly, but no traffic is flowing back through the tunnel. The Linux VM itself has local and Internet connectivity. All self checks work, even the internal network check, all checkmarks are green.
So there must be some routing magic missing between the containerized VPN Server and the VM - I feel that the Azure Networking does not now how to backroute the pakets into the Container VPN Network.
Has anybody ever built a working demo? I did it multiple times, always the same problem...
Waiting for your suggestions, Regards
(Data sent, but no data received)
8 Replies
OK, I got it up and running, there's a new guide (v3) available now. Did a complete rework, changed the config to Red Hat 9.4 and dual NICs. Now it works - so we will never know why we had all the problems in the past.
We're seeing this as well on rootless RHEL 9.4 interesting enough we have 2 different datacenters one with a working Tunnel and one experiencing this issue, both are identical. Interestingly enough the broken server does work after a fresh install of the mst-cli binaries and the VPN container, however as soon as the tunnel restarts whether it be for patching or something else it immediately breaks on next boot. Any help would be appreciated, Microsoft has essentially told us to go pound sand.
- Twice I had issues with the Tunnel over several years and twice it was because the NSG rules were changed, by another team, blocking DNS.
I installed Nmap on the server in order to carry out traffic-specific troubleshooting. Allows you to confirm DNS and other traffic can route to its destination. Can you let us know some more detail. From Azure (Tunnel Gateway Server) what do you use to get the traffic from Azure to on-prem (site2site, ExpressRoute). What Linux OS do you use?
Did you check the logs from the Gateway to see if there are errors present? See here: microsoft-tunnel-monitor
On the resource server do you see any traffic coming in, for example from the logs?
It's a totally simple setup for training. Just 2 VMs in Azure, one is the Tunnel Gateway, the other vm is a WS2022 Domain Controller with IIS installed for the Tunnel health check. Both VMs are in the same VNet/Subnet. DC is the DNS Server for the Subnet and DNS in the Tunnel policy. On Android Devices even the split tunnels works, so addresses outside the range will not be routed through the Tunnel. Addresses inside the range run into the "dead end". So for example when I try to navigate to http://10.0.0.4 in the mobile's browser nothing happens. Even if this address is the successfully logged health check address from the Tunnel's health check. In the logs on DC's IIS a see the Tunnel VM reaching IIS beacuse of its health check, but not anything coming from inside Tunnels Containers. So some routing information must be missing here. Linux is Red Hat 8.4 Gen2.
train-IT did you find a resolution to this in the end?
I've set this up on-prem and it "just worked" yesterday.
Tried it again today and now experiencing the same as you - iOS VPN connects but no traffic over it. But the linux server can ping and reach everything just fine, as can the container.
My MS Tunnel Server is on Ubuntu 22.04 (but have also tried RHEL9.4 and Ubuntu 20.04) and nothing seems to help.
I wish there were a few more troubleshooting articles for this!
