I have deployed a number of Azure subscriptions now with site to site VPN connectivity back to on-premise networks. In one scenario with a client, they have reported that on a regular basis ICMP traffic for PING, is regularly coming from a source VM within Azure back to their on-premise DNS server. At the moment they block external ICMP traffic over their site to site VPN tunnel and therefore noticed that their Cisco ASA Firewall logs, were becoming flooded with with errors of blocked ICMP incoming traffic.
This is happening from each Azure VM they've deployed. I've ran a Wireshark trace on an example Azure VM whilst no one else has a console/RDP login session to that server and I can see that Wireshark has picked up regular ICMP PING requests, from the Azure VM as the source to the on-premise DNS server.
Tracing it down, I can't see any real evidence from the Windows event logs on the Azure VM, what source application/process could be triggering this. The one thing that I know is happening is that the WindowsAzureGuestAgent regularly receives heartbeat checks from the Azure host agent, but this wouldn't be the Azure VM as the source and certainly wouldn't be causing a PING request to go from the VM to the on-premise server.
The Azure VM in question in Windows Server 2012 R2 acting as a SharePoint Application Server. But I've compared this to another VM on a different Azure subscription which is hosting the same O/S but this time SQL Server instance and the same behavior happens, with regular PINGS back to the on-premise server infrastructure.
Again, interested to see if this is a common behavior of Hyper-V VMs and Windows Server 2012 R2 guests, I ran Wireshark on a Hyper-V guest VM, but on-premise based and this behavior does not happen.
So it could look like this is a common behavior of Windows Server 2012 R2 on an Azure VM. A note to this; I also tried this on a Win Svr 2008 R2 VM in Azure and the regular PINGS were not seen.
Has anyone seen this before? At this stage I'm more interesting in identifying the source of process of these regular PINGS rather than trying to stop them.
Thanks
