Troubleshoot Azure VPN Gateway Connectivity Issues

This document provides a comprehensive guide to diagnosing and resolving common connectivity problems with Azure VPN Gateway. We'll cover steps to identify the root cause and implement solutions.

Before you begin: Ensure you have reviewed the Azure VPN Gateway Overview and understand the basic concepts.

Common Symptoms of VPN Gateway Connectivity Issues

Intermittent or complete loss of connectivity between on-premises networks and Azure VNets.
Slow or degraded performance over the VPN tunnel.
Inability to establish a new VPN connection.
Errors related to IPsec/IKE negotiation failures.
Traffic not flowing as expected after a successful connection.

Troubleshooting Steps

Verify VPN Gateway and Connection Status

Step 1: Check the Azure Portal

Navigate to your VPN Gateway resource in the Azure portal. Under the 'Overview' blade, check the 'Status'. It should indicate 'Succeeded' or 'Connected'.

Next, go to the 'Connections' blade and verify the status of your VPN connections. They should also show as 'Connected'.

Step 2: Use Azure Network Watcher

Network Watcher offers powerful diagnostic tools. Use the 'VPN Troubleshoot' feature to perform automated checks and identify potential issues with your gateway and connections.

You can also use 'Connection Troubleshoot' to test connectivity from a VM in your VNet to an on-premises IP address.
Review Gateway Configuration

Step 1: Gateway Type and SKU

Ensure your VPN gateway type (e.g., VPN, ExpressRoute) and SKU (e.g., VpnGw1, VpnGw2AZ) are appropriate for your performance and feature requirements.

Refer to the VPN Gateway SKUs documentation for details.
Step 2: IPsec/IKE Parameters

Inconsistent IPsec/IKE parameters between your Azure VPN Gateway and your on-premises VPN device are a common cause of connection failures.
- Phase 1 (IKE) and Phase 2 (IPsec) Encryption and Hashing Algorithms: Ensure they match.
- Diffie-Hellman Group: Verify that the same group is used on both ends.
- Perfect Forward Secrecy (PFS): If enabled, ensure it's configured consistently.
- Pre-shared Key (PSK): Double-check for typos and ensure it's identical.
You can review and modify these settings in the Azure portal under the 'Connections' blade for your specific connection.
Step 3: Local and Remote Network Definitions

The 'Local Network' and 'Remote Network' definitions in your Azure VPN connection must accurately reflect your on-premises network address spaces and the public IP address of your on-premises VPN device.

Local Network: Contains the IP address ranges of your on-premises network and the public IP of your on-premises VPN device.

Remote Network: Contains the IP address ranges of your Azure VNet.

Incorrect definitions will prevent traffic routing and connection establishment.
Check On-Premises VPN Device Configuration

Step 1: Firewall Rules

Ensure your on-premises firewall allows traffic to and from the public IP address of your Azure VPN Gateway on UDP ports 500 (IKE) and 4500 (IPsec NAT-T).

Also, ensure traffic for your VNet IP address ranges is permitted.

Step 2: Device Logs

Examine the logs on your on-premises VPN device for any errors related to IKE or IPsec negotiation. These logs often provide specific error codes or messages that can pinpoint the issue.

Consult your device vendor's documentation for how to access and interpret these logs.

Step 3: Routing

Verify that your on-premises network devices have the correct routes to send traffic destined for your Azure VNet through the VPN tunnel.
Examine Azure Network Security Groups (NSGs) and Firewalls

Step 1: NSG Rules

Ensure that Network Security Groups applied to the subnets within your VNet (especially the GatewaySubnet) do not block inbound or outbound traffic that should be flowing over the VPN tunnel. Allow necessary ports and protocols.

Step 2: Azure Firewall (if applicable)

If you are using Azure Firewall, verify its network rules and application rules allow the desired traffic flow between your on-premises network and your VNet.
Connectivity and Performance Testing

Step 1: Ping and Traceroute

From a VM within your VNet, try to ping an IP address on your on-premises network. Use traceroute (or tracert on Windows) to identify where packets are being dropped.

Perform the same test from an on-premises machine to a VM in your VNet.

Step 2: Bandwidth Testing

If you are experiencing slow performance, use tools like iPerf3 to measure throughput between your on-premises network and Azure VMs. Compare this to the expected bandwidth for your VPN Gateway SKU and connection type.

Important: Configuration changes to your VPN gateway or on-premises device can temporarily disrupt existing connections. Plan these changes during maintenance windows if possible.

Advanced Troubleshooting

For more complex issues, consider:

Packet Capture: Use Network Watcher's packet capture feature on your VNet's GatewaySubnet to analyze network traffic and identify the source of connection problems.
Azure Support: If you've exhausted all troubleshooting steps, open a support request with Microsoft Azure. Provide as much detail as possible about your configuration and the symptoms observed.

Tip: Regularly monitor your VPN gateway's performance metrics in the Azure portal. This can help you detect potential issues before they impact connectivity.

By systematically following these troubleshooting steps, you can effectively diagnose and resolve most Azure VPN Gateway connectivity problems.

Troubleshoot Azure VPN Gateway Connectivity Issues

Common Symptoms of VPN Gateway Connectivity Issues

Troubleshooting Steps

Step 1: Check the Azure Portal

Step 2: Use Azure Network Watcher

Step 1: Gateway Type and SKU

Step 2: IPsec/IKE Parameters

Step 3: Local and Remote Network Definitions

Step 1: Firewall Rules

Step 2: Device Logs

Step 3: Routing

Step 1: NSG Rules

Step 2: Azure Firewall (if applicable)

Step 1: Ping and Traceroute

Step 2: Bandwidth Testing

Advanced Troubleshooting