Troubleshooting Azure Virtual WAN

Common Issues

• VPN connection failures – Verify that the shared key, IPsec policies, and BGP settings match on both ends.
• Hub-to-hub latency spikes – Check for network congestion, review route tables, and enable flow logs for diagnostics.
• ExpressRoute integration problems – Ensure the ExpressRoute circuit is linked to the correct hub and that the routing configuration permits the expected prefixes.
• Branch-to-branch connectivity – Confirm that the branch office VPN devices are using the latest firmware and that the virtual hub is properly configured for transit routing.

Diagnostic Tools

Azure provides several built‑in tools to help you pinpoint issues:

• Network Watcher – Connection Monitor
• Azure Monitor – Metrics & Logs
• VPN diagnostics (Site-to-Site & P2S)
• ExpressRoute monitor

Example: Using Azure CLI to view hub health:

az network vhub show \
    --resource-group MyResourceGroup \
    --name MyVirtualHub \
    --query "properties.provisioningState"

Step‑by‑Step Troubleshooting Guide

1. Validate configuration
   • Confirm hub and spoke relationships.
   • Check the addressPrefix of each virtual hub.
2. Inspect connection status

   Run the following CLI command to list VPN connections and their states:

   az network vpn-connection list \
       --resource-group MyResourceGroup \
       --output table

3. Review logs

   Navigate to Monitor → Logs and execute:

   AzureDiagnostics
   | where Category == "VirtualNetworkGatewayDiagnosticLog"
   | where ResourceId contains "my-vpn-gateway"
   | project TimeGenerated, OperationName, Status, Message
   | order by TimeGenerated desc

4. Test connectivity

   From a VM in a spoke VNet, use ping or tracert to the hub address. If the hop fails, verify NSG and firewall rules.

5. Open a support ticket

   If the issue persists, collect the following information:

   • Subscription ID
   • Resource Group name
   • Virtual hub and VPN gateway IDs
   • Relevant log excerpts

Best Practices

• Keep VPN device firmware up to date.
• Enable BGP for dynamic routing where possible.
• Use Azure Policy to enforce hub naming conventions.
• Monitor key metrics (e.g., TunnelStatus, PacketLoss) continuously.
• Apply Azure Firewall or third‑party NVA in the hub for security inspection.

Related Resources

• Virtual WAN concepts
• Virtual WAN overview
• FAQ
• Official troubleshooting guide