We have a firewall in Azure that is managed by an SMS at our local site. We have established a VPN with the Azure firewall and communicate directly over the Internet from the SMS to the cluster. We can push policy without issue. We are not receiving logs however. We have checked that the Azure firewalls can reach the SMS on port 257 - it works. In a tcpdump, we see resets after a few communication packets:
10.55.0.2 = azr_fw1_us - (untrust interface, NAT'd at external load balancer)
76.44.19.25 - Remote SMS external NAT ip
09:01:15.525805 IP 10.55.0.2.54067 > 76.44.19.25.257: Flags [S], seq 3881574704, win 32120, options [mss 1460,sackOK,TS val 2385779482 ecr 0,nop,wscale 10], length 0
09:01:15.593481 IP 76.44.19.25.257 > 10.55.0.2.54067: Flags [S.], seq 2878563092, ack 3881574705, win 31856, options [mss 1460,sackOK,TS val 369186672 ecr 2385779482,nop,wscale 10], length 0
09:01:15.593718 IP 10.55.0.2.54067 > 76.44.19.25.257: Flags [.], ack 1, win 32, options [nop,nop,TS val 2385779551 ecr 369186672], length 0
09:01:15.593867 IP 10.55.0.2.54067 > 76.44.19.25.257: Flags [P.], seq 1:5, ack 1, win 32, options [nop,nop,TS val 2385779551 ecr 369186672], length 4
09:01:15.642346 IP 76.44.19.25.257 > 10.55.0.2.54067: Flags [.], ack 5, win 32, options [nop,nop,TS val 369186739 ecr 2385779551], length 0
09:01:15.642448 IP 76.44.19.25.257 > 10.55.0.2.54067: Flags [P.], seq 1:5, ack 5, win 32, options [nop,nop,TS val 369186739 ecr 2385779551], length 4
09:01:15.642585 IP 10.55.0.2.54067 > 76.44.19.25.257: Flags [P.], seq 5:9, ack 1, win 32, options [nop,nop,TS val 2385779600 ecr 369186739], length 4
09:01:15.642587 IP 10.55.0.2.54067 > 76.44.19.25.257: Flags [.], ack 5, win 32, options [nop,nop,TS val 2385779600 ecr 369186739], length 0
09:01:15.741891 IP 76.44.19.25.257 > 10.55.0.2.54067: Flags [.], ack 9, win 32, options [nop,nop,TS val 369186839 ecr 2385779600], length 0
09:01:15.742125 IP 10.55.0.2.54067 > 76.44.19.25.257: Flags [P.], seq 9:60, ack 5, win 32, options [nop,nop,TS val 2385779699 ecr 369186839], length 51
09:01:15.791037 IP 76.44.19.25.257 > 10.55.0.2.54067: Flags [.], ack 60, win 32, options [nop,nop,TS val 369186888 ecr 2385779699], length 0
09:01:15.791039 IP 76.44.19.25.257 > 10.55.0.2.54067: Flags [P.], seq 5:51, ack 60, win 32, options [nop,nop,TS val 369186888 ecr 2385779699], length 46
09:01:15.791254 IP 10.55.0.2.54067 > 76.44.19.25.257: Flags [.], ack 51, win 32, options [nop,nop,TS val 2385779748 ecr 369186888], length 0
09:01:15.840235 IP 76.44.19.25.257 > 10.55.0.2.54067: Flags [P.], seq 51:64, ack 60, win 32, options [nop,nop,TS val 369186937 ecr 2385779748], length 13
09:01:15.840426 IP 10.55.0.2.54067 > 76.44.19.25.257: Flags [.], ack 64, win 32, options [nop,nop,TS val 2385779798 ecr 369186937], length 0
09:01:15.840889 IP 10.55.0.2.54067 > 76.44.19.25.257: Flags [P.], seq 60:69, ack 64, win 32, options [nop,nop,TS val 2385779798 ecr 369186937], length 9
09:01:15.841012 IP 10.55.0.2.54067 > 76.44.19.25.257: Flags [F.], seq 69, ack 64, win 32, options [nop,nop,TS val 2385779798 ecr 369186937], length 0
09:01:15.889008 IP 76.44.19.25.257 > 10.55.0.2.54067: Flags [P.], seq 64:68, ack 70, win 32, options [nop,nop,TS val 369186986 ecr 2385779798], length 4
09:01:15.889209 IP 76.44.19.25.257 > 10.55.0.2.54067: Flags [F.], seq 68, ack 70, win 32, options [nop,nop,TS val 369186986 ecr 2385779798], length 0
09:01:15.889313 IP 10.55.0.2.54067 > 76.44.19.25.257: Flags [R], seq 3881574774, win 0, length 0
09:01:15.889315 IP 10.55.0.2.54067 > 76.44.19.25.257: Flags [R], seq 3881574774, win 0, length 0
We ran a debug on the Azure firewall and see the following:
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:29] log_add_e__logclient: s_nLogHandleRate is 2
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:29] log_add_e__logclient: There are not active remote servers. log may lost .record number = 377
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:29] .--> checkAndUpdateLostLogs
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:29] server FW_Mgr_SMS_1 has lost 4332 logs srv seq num = 3580034, override seq num = -1
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:29] checkAndUpdateLostLogs: skipping default because it is the local server
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:29] .<-- checkAndUpdateLostLogs
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:29] log_add_e__logclient: 76.44.19.25 - no log is sent now
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:29] log_add_e__logclient: Write locally ! log record number = 378
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:29] .--> changeWritingLogStatusToLocal
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:29] .<-- changeWritingLogStatusToLocal
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:29] .--> log_local_write
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:29] .<-- log_local_write
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:29] <-- log_add_e__logclient
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] --> log_add_e__logclient
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] log_add_e__logclient: s_nLogHandleRate is 3
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] log_add_e__logclient: There are not active remote servers. log may lost .record number = 379
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] .--> checkAndUpdateLostLogs
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] server FW_Mgr_SMS_1 has lost 4333 logs srv seq num = 3580034, override seq num = -1
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] checkAndUpdateLostLogs: skipping default because it is the local server
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] .<-- checkAndUpdateLostLogs
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] log_add_e__logclient: 76.44.19.25 - no log is sent now
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] log_add_e__logclient: Write locally ! log record number = 380
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] .--> changeWritingLogStatusToLocal
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] .<-- changeWritingLogStatusToLocal
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] .--> log_local_write
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] .<-- log_local_write
[FWD 16812 3912214080]@azr_fw1_us[4 May 10:08:30] <-- log_add_e__logclient
Any help would be appreciated.
