The tunnel is marked as up and is showing packets being passed both ways.
I have created two VM's in two subnets on the Azure network and configured the servers so that they can ping each other. i.e. it works. Pinging to these servers from the non azure site fails. Pinging local servers from these servers also fail (which can be pinged from other local devices).
I haven't defined any subnet network security groups (NSG's)
I am using the default NSG's that were created for the VM's and includes a default rule 'AllowVnetInBound' to allow VirtualNetwork to VirtualNetwork traffic so this shouldn't block vpn traffic:
'VIRTUAL_NETWORK: This default tag denotes all of your network address space. It includes the virtual network address space (CIDR ranges defined in Azure) as well as all connected on-premises address spaces and connected Azure VNets (local networks).' https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg
The onsite firewall has the correct traffic rules set and I've confirmed via a network trace that time matched IKE packets are sent to the Azure virtual network gateway IP address just after ping packets are sent to the Azure VM's private IP addresses (so the firewall knows the correct tunnel route to use and allows the outbound ping packets)
The Azure local network gateway correctly defines the address space for the vpn subnet so I imagine this is used to define a route to the vpn local subnet.
Any ideas on what to check?
Thanks
David