Microsoft Docs

Troubleshooting Azure VPN Gateway

This guide provides common troubleshooting steps and solutions for issues you might encounter with Azure VPN Gateway.

Connectivity Issues

Problems with establishing or maintaining a connection to your Azure VPN Gateway can stem from various sources. Here are common scenarios and their resolutions:

Scenario 1: Site-to-Site VPN connection is not connecting or is intermittent.

• Verify IPsec/IKE parameters: Ensure that the IPsec/IKE policy on both your on-premises VPN device and the Azure VPN Gateway match exactly. Common mismatches include encryption algorithms, hashing algorithms, Diffie-Hellman groups, and lifetimes.
• Check pre-shared keys (PSK): Confirm that the PSK configured on both ends is identical.
• Validate public IP addresses: Ensure the public IP address of your on-premises VPN device is correctly configured in the Azure VPN Gateway's local network gateway definition.
• Firewall rules: Verify that any firewalls between your on-premises network and the Azure VPN Gateway are not blocking UDP ports 500 (IKE) and 4500 (NAT-T), and ESP protocol.
• On-premises device compatibility: Consult the Azure VPN device compatibility list to ensure your device is supported and configured correctly.
• Check BGP configurations (if applicable): If you are using BGP, verify routes are being advertised and received correctly.

Scenario 2: Virtual network-to-virtual network (VNet-to-VNet) connection is down.

• Check gateway IP addresses: Ensure the gateway IP addresses for both virtual networks are correctly configured in their respective local network gateway definitions.
• Peering configuration: Verify that the virtual network peering settings are correct, including gateway transit permissions if one VNet is peering to another that has a VNet Gateway.
• Service IP addresses: Ensure that the service IP address ranges for both VNets are correctly defined in the local network gateway of the other VNet.

Performance Problems

Slow performance or low throughput can impact the usability of your VPN connection.

Common causes and solutions:

• Gateway SKU: Different Azure VPN Gateway SKUs offer varying levels of performance. Ensure you have selected a SKU that meets your throughput requirements. Consider scaling up your gateway if needed.
• Bandwidth limitations: Check the available bandwidth on your on-premises network connection. The VPN throughput is limited by the slower of the two connections.
• MTU issues: Incorrect Maximum Transmission Unit (MTU) settings can cause fragmentation and performance degradation. Ensure MTU paths are properly managed. Consider using the VPN gateway's Path MTU Discovery feature.
• Encryption overhead: IPsec encryption adds overhead. Account for this when estimating throughput.
• Number of tunnels: A large number of tunnels can also impact performance.

Configuration Errors

Misconfigurations are a frequent source of VPN issues.

Common errors:

• Incorrect virtual network address spaces: Ensure that the address spaces of connected virtual networks and on-premises networks do not overlap.
• Local network gateway IP address: The IP address configured in the local network gateway must be the public IP address of your on-premises VPN device.
• On-premises network address ranges: The address prefixes defined in the local network gateway should accurately represent your on-premises network.
• Gateway subnet: The gateway subnet must be named GatewaySubnet and have a specific address range suitable for the gateway.

Log Analysis and Monitoring

Leveraging Azure Monitor and VPN Gateway logs is crucial for diagnosing issues.

Key metrics and logs to check:

• Azure Monitor metrics: Monitor metrics like 'Tunnel Egress Bytes', 'Tunnel Ingress Bytes', 'Tunnel Egress Packets', and 'Tunnel Ingress Packets' to assess traffic flow and identify potential bottlenecks.
• Gateway diagnostic logs: Enable diagnostic settings for your VPN Gateway to collect logs related to tunnel status, BGP events, and configuration changes.
• Connection monitor: Use Azure Monitor's connection monitor to proactively check the health and performance of your network paths, including VPN tunnels.
• Event logs on on-premises device: Check the logs on your on-premises VPN device for error messages related to IKE negotiations, IPsec SA establishment, or connectivity.

Specific Connection Issues

IKEv2 and IKEv1 differences:

Ensure your on-premises device and Azure VPN Gateway are configured for the same IKE version. IKEv2 is generally recommended for its robustness and features.

NAT traversal (NAT-T):

If your on-premises VPN device is behind a NAT device, ensure NAT-T is enabled and supported on both ends. This typically uses UDP port 4500.

BGP troubleshooting:

• Verify BGP peering status.
• Check BGP advertised and received routes.
• Ensure BGP ASN and peer IP addresses are correct.

For advanced troubleshooting, consider using Azure Network Watcher's VPN diagnostics feature.

Always ensure your on-premises VPN device firmware is up-to-date and that it is configured according to Microsoft's best practices and compatibility lists.

If you continue to experience issues, please refer to the Azure VPN Gateway diagnostics documentation or contact Azure support.