In Windows Azure role, I cannot ping out
D:\Users\foglight>ping www.google.com
Pinging www.l.google.com [209.85.143.104] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 209.85.143.104:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
I google it and found some one suggest run below command, but even after run it, I still can not ping out
netsh advfirewall firewall add rule name="ICMPv6" dir=in action=allow enable=yes protocol=icmpv6
Please someone tell me the reason and how to walkaround.
I don't believe you can do this. Traffic leaving the data center goes through the load balancer, and the load balancer only routes TCP-based traffic.
I know this question is very old, but I stumbled upon it while facing the same issue and there is an actual solution for it now in Azure.
When setting up your Virtual machine you can assign it an "Instance IP address". Once that has been configured, you can enabled ICMP in and out in the local firewall. You will then be able to ping out of your Azure VM and also use tools like traceroute.
I had a similar problem. Needed to assign public IP to Azure VM in order to enable ICMP. I used set-azurepublicip and update-azurevm and resolved the issue.
I also had problems to do traceroutes from my azure VM and to ping it.
Just wanted to let you know, that after you have a public IP assigned to the VM (which is in many cases the default), you also need to add ICMP Rules to your network security groups (NSG) (if you have any, which you should).
If you have a NSG on the vnet and a NSG on the VM network interface, you should create 4 rules that allow ICMP (vnet-in, vnet-out, vm-in, vm-out).
Selecting "Any" as protocol, will not work.
The default rule for internet access seems to be not sufficient.
You need to select ICMP. "Any" seems to be only UDP+TCP.
I set the source and destination port to "*" (not sure if it even has any effect if ICMP is selected).
After that and a little wait (~1-2 min), I could ping and trace in every direction :)
Related
So that we can identify the status and proceed accordingly. Otherwise we have to face unwanted errors
SHORT ANSWER
By using the provided Utility - Network object's Ping action to run three ping tests for analysis.
CORRECT ANSWER
By using the provided Utility - Network object's Ping action to run three ping tests for analysis BUT this wholly depends on the network setup of your resource PC.
As well if you have any kind of Firewall configured to block ICMP packets a result will be that you can not send ICMP echo request packets to external networks.
However, let's say you know your network architecture enough to be certain the resource PC can directly send and receive packets. If that were the case then Solution 1 will work.
IF your resource is well and rightly insulated within your organizations network BUT are confident that your network exit points are always connected to the internet AND know your domain network name or IP Solution 2 will work.
Solution 1
ping google.comTo test that DNS is working on the resource
ping 8.8.8.8 To test that resource's TCP/IP settings are correct
ping 127.0.0.1 Loopback test to make sure there's nothing wrong with the resource's network adapter or connection settings
Depending on your requirements you can also directly ping the endpoint addresses your bot needs to communicate with. This would be especially useful if the bot is not using a browser-based application, but rather sending emails.
Solution 2
ping {yourdomainnetwork}.comTo test that DNS is working on the resource
ping {yourdomainnetwork IP} To test that resource's TCP/IP settings are correct
ping 127.0.0.1 Loopback test to make sure there's nothing wrong with the resource's network adapter or connection settings
I have multiple virtual machine(vmware)(linux) but would like to make one as the server, meaning all the client who wants to access the internet, uses the server internet so, the server is able to view all the incoming and outgoing data packets.
Also, I would like to install another virtual machine to act as an IDS to track the server packet, if anything is wrong it is able to flag out.
Thanks for your help in advance
You can setup one Linux server as the gateway for the others. All you need is to create two virtual ethernet interfaces for it, one in bridged mode and other in virtual network mode.
One will be bridged with your actual network and act as the WAN, and the other will be act as a LAN gateway for others VM's.
So other VM's should use your server virtual network IP address as main gateway, and you can use tcpdump or wireshard or everything you like to sniff traffic forwarded.
One thing you need to configure on the server is IP forwarding option in sysctl, which is disabled by default:
net.ipv4.ip_forward = 1
You may find more relevant information here too.
Hope it will help you.
Firstly, apologies if similar questions have been answered before, but the Azure configuration seems to have changes since most of the posts I have seen so far.
I have an application which I have installed on an Azure VM [Windows server 2012].
It's actually wso2 API manager, if anybody has experience of that.
The application fires up Tomcat and listens for SSL traffic on port 9443. Why it's not 443 I'm not sure.
I've set up an Inbound Security rule on my Network Security Group, as follows:
Priority : 1010
Source: Any
Service: Custom
Protocol: Any
Port Range: 9443
Action : Allow
I still have no joy accessing this from a browser though, I get the slightly confusing "This site can't be reached / the connection was reset" error.
I'd welcome any pointers to get this working or to debug!
I recently experienced nearly the same issue that you did. What worked for me:
1) I added my inbound rule prior to any other inbound rule. I noticed your rule is 1010 which means it's being applied after the default RDP rule is. No, this shouldn't make a difference, but it may.
2) When you create your inbound rule, hit the "advanced" button, choose the CIDR option and route the traffic to the internal IP address of the VM.
3) For the destination port range I chose only the port I needed. In your case 9443.
The issue for me was the internal IP address. Once I set that everything started working for me.
I can ping localhost and gateway, but I cannot ping outside in command line, e.g. google.com.
I can use the browser to browse everything, this works fine.
I tried to ssh to another server, but it fails as well.
Anyone knows what's wrong? Thanks in advance.
Maybe you have a firewall enabled for outgoing packets in your router or
Some times your Internet Service Provide disables the icmp packages a.k.a ping packets also some disables some of common ports as ssh all this done with a firewall that your provider have been setup. You can call your provider to open all those ports.
I'm having the following dilemma, I have a website on IIS with two internal IPs, each one of those IPs are NATed to different external IPs (each IP is from a different ISP). I also configured a RoundRobin DNS Service (two A hosts with the same name but with a different IP). Basically what this does is that the traffic is balanced between the two ISPs, and that's what we want. The thing is that apparently this configuration (DNS Roundrobin) is meant for when you have a cluster of server so each server has its own ISP on its own NIC, so the traffic from the webserver to the client is made over that ISP.
Right now we are being told that no matter where our inbound traffic comes from, the outbound traffic is always through our main WAN, which is also OK, because we have tested that when the primary WAN link is down, the website keeps working on the secondary link.
OK, the question is, do you think there may be problem with this configuration? Is the DNS Rounrobin also useful on this configuration?.
Thanks a lot for your feedback.
normally when you host a web service the responses are much bigger compared to the inbound traffic (normally you receive an HTTP GET/ and deliver the whole content back) - so it would make much more sense to balance the outbound traffic over your ISPs to get value out of your additional bandwidth.
does it make sense - yes - you can loose one ISP and your site is still available (assuming you do Healthchecks on your DNS server to determine if the sites are available before you send the IP address back - if you always deliver both IPs even when one ISP is down it won't help you at all)
it would be better to add an additional server - OR do policy based routing on your single server - so sending the response out of the interface where it was received.
hope that helps!