Azure Site to Site VPN Blocking Some Traffic

I ran across an interesting a couple of weeks ago when working with a client. The client has several subsidiaries each with their own vNet. The client had a site to site VPN been the Azure vNets. All traffic was successfully crossing the Azure Site to Site VPN as expected. The sticking point was that a software licensing server running in one of the subsidiaries Azure infrastructure configurations. The software licensing software simply wasn’t working.

We fired up Wireshark on Azure VM which was running the software as well on the Azure VM which was running the licensing software. In Wireshark on the VM running the software, we could see the software trying to talk to the licensing software. On the licensing server, we could see the connection request come in, and we could see the response from the licensing software going back to the client. But we looked on the VM running the software we couldn’t see the packet coming back from the licensing server. So the network traffic was simply getting blocked, somewhere. We didn’t have any network security groups set up, and we didn’t have any software firewalls in place. So nothing should be blocking traffic.

We looked at the response that was coming from the licensing server, and it had the DoNotFragment bit set on the response network packet. Now the sure weird thing is that the packet was only 1430ish bytes in size. So it would have fit within the 1500 byte packet, so there was zero chance of the packet being fragmented. But the bit was being set within the vendor’s software, so we didn’t have any way to remove that flag.

We were able to fix it, by changing from a Site to Site VPN to a peered network connection between the two vNets. Changing the network connection to a peer allowed the software licensing process to work as expected and solved the problem.

So if you have software which requires the DoNotFragment bit in your connection, then an Azure Site to Site VPN isn’t going to work for you. If you are doing everything in Azure a peer can work while a Site to Site VPN doesn’t work.

Denny

Share

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trust DCAC with your data

Your data systems may be treading water today, but are they prepared for the next phase of your business growth?