Troubleshooting Azure VPN Gateway
This document provides guidance and common solutions for troubleshooting issues related to Azure VPN Gateways. VPN Gateway enables you to create secure, cross-premises connectivity to your Azure virtual networks.
Common Issues and Solutions
1. Connection Established, but No Traffic
This often indicates a routing or firewall issue. Check the following:
- Routing Tables: Ensure that the relevant routes are correctly configured in both your on-premises network and Azure VNet. For Site-to-Site VPNs, check the effective routes on your subnets.
- Network Security Groups (NSGs): Verify that NSGs associated with your subnets do not block the necessary traffic. Pay attention to inbound and outbound rules for the protocols and ports you intend to use.
- Firewalls: If you have firewalls in your on-premises network or within Azure (e.g., Azure Firewall), ensure they are not blocking traffic between the connected networks.
- BGP Peering: If using BGP, check the BGP status and ensure routes are being advertised and received correctly.
Tip:
Use the Azure Network Watcher IP Flow Verify and Connection Troubleshoot tools to diagnose connectivity issues.
2. VPN Tunnel is Down or Intermittently Disconnecting
Intermittent disconnections can be caused by network instability, mismatched configurations, or IP address conflicts.
- IP Address Conflicts: Ensure that the on-premises network address space does not overlap with the Azure VNet address space.
- Shared Key Mismatch: Verify that the pre-shared key (PSK) used for the VPN tunnel is identical on both the Azure VPN Gateway and your on-premises VPN device.
- IKE/IPsec Parameters: Check that the Internet Key Exchange (IKE) and IPsec parameters (encryption, hashing, Diffie-Hellman group, lifetimes) are correctly configured and match on both ends of the tunnel. Refer to the Azure VPN Gateway documentation for supported algorithms and parameters.
- NAT Traversal (NAT-T): If your on-premises VPN device is behind a NAT, ensure NAT-T is enabled and supported.
- MTU Issues: Network devices can fragment packets. Ensure your MTU path discovery is configured correctly. Large packets might be dropped.
- On-Premises Device Health: Check the logs and health status of your physical or virtual VPN appliance.
Warning:
Unsupported IKE/IPsec proposals can lead to connection failures or instability. Always consult the Azure documentation for compatible settings.
3. High Latency or Low Throughput
Performance issues can stem from network congestion, insufficient gateway SKU, or inefficient configuration.
- Gateway SKU: Ensure your VPN Gateway SKU is sufficient for your expected traffic load. Higher SKUs offer greater throughput.
- Link Aggregation/Bonding: If you are using multiple connections (e.g., Active-Active gateway), ensure they are properly configured and utilized.
- Throughput Limits: Be aware of the individual tunnel and aggregate throughput limits for your chosen VPN Gateway SKU.
- On-Premises Network Bandwidth: Verify that your on-premises internet connection and internal network have sufficient bandwidth.
- Packet Inspection: Deep packet inspection on firewalls or other network devices can introduce latency.
- Location: The physical distance between your on-premises location and the Azure region can impact latency.
Tip:
Monitor your VPN Gateway's performance metrics in Azure Monitor. Look for CPU utilization, data in/out, and packet drop rates.
4. P2S VPN Connection Failures
For Point-to-Site (P2S) VPNs, connection failures can be due to client configuration or authentication issues.
- Client VPN Software: Ensure you are using the correct and latest version of the Azure VPN client software.
- Client Configuration Profile: Re-download and re-install the VPN client configuration profile from the Azure portal.
- Authentication: Verify that the user credentials used for authentication are correct. If using certificate-based authentication, ensure the root and client certificates are correctly installed and trusted on the client machine.
- Firewall/Proxy: Client-side firewalls or corporate proxies might block the VPN connection.
- DNS Resolution: Ensure the client can resolve the DNS name of the VPN gateway.
5. BGP Issues
Border Gateway Protocol (BGP) issues can prevent route propagation.
- BGP Peering Status: Check the status of BGP peers in the Azure portal. The status should be 'Connected'.
- ASN Mismatch: Ensure the Autonomous System Number (ASN) configured on your on-premises device matches the one expected by Azure.
- BGP Route Advertisements: Verify that your on-premises device is advertising the correct address prefixes to Azure.
- BGP Route Reception: Confirm that Azure VPN Gateway is receiving routes from your on-premises network.
- Public IP Addresses: Ensure the public IP addresses used for BGP peering are correctly configured and accessible.
Troubleshooting BGP:
Use the BGP Peers and Effective Routes features in Azure Network Watcher to diagnose BGP related problems.
Azure Network Watcher Tools
Azure Network Watcher offers several invaluable tools for diagnosing VPN Gateway connectivity and performance issues:
- Connection Troubleshoot: Helps diagnose connectivity issues between two endpoints.
- IP Flow Verify: Checks if traffic is allowed or denied by NSGs and User Defined Routes (UDRs).
- Packet Capture: Captures network traffic on a virtual machine.
- Next Hop: Determines the next hop for traffic from a virtual machine.
- Connection Monitor: Monitors network performance and logs.
By systematically checking these common areas and utilizing Azure's diagnostic tools, you can effectively resolve most Azure VPN Gateway issues.