Thank you for reaching out.
Based on your question above I understand that you are facing issue while connecting to a on-prem subnet from a VM located in Azure. Even though you have advertised the subnet in LNG. The connectivity is working from other subnets from the on-prem, as you see the traffic in Azure firewall and on-prem. You checked and found no issue with Azure Firewall.
Based on my understanding above I think the issue might be related to either NSG present in the Network or a routing issue. You can follow the troubleshooting steps below to help find the cause.
- You can use IP flow verify to test if any NSG is blocking the connectivity.
- Check the effective routes on the VM and see if the most specific route is present, you can use Network watcher next hop to test which route is selected in this scenario.
- As there is an Azure Firewall in the mix, it can also affect the routing, please check if the correct routes are present on the route table associated with your subnet.
- If above does not help, you can use following method to isolate the issue with the three components
- Use Azure Firewall Structured Diagnostic Logs to determine if the traffic was allowed on by the firewall.
- Perform packet capture on your VPN Gateway to determine if the traffic was sent across by VPN Gateway.
- If do not observe the return traffic on packet capture above, then issue might be with on-prem set-up and check if any on-prem firewall is not blocking this connectivity.
Please let me know if you have any additional questions. Thanks!