🌓

VPN Gateway – Troubleshooting

Table of Contents

Common Issues

The following problems are frequently reported by VPN Gateway users:

  • IPsec/IKE negotiation failures
  • Gateway provisioning errors
  • Unexpected disconnections
  • High latency or packet loss
  • Wrong route propagation

Diagnostic Tools

Azure provides several built‑in tools to help you diagnose VPN issues:

ToolPurposeHow to Use
Network Watcher – VPN diagnosticsValidate tunnel healthNavigate to Network Watcher → VPN diagnostics → Select gateway.
Effective routesInspect route tables applied to VMsRun az network nic effective-route list in Azure CLI.
Log AnalyticsCollect and analyze gateway logsConfigure diagnostics settings to send logs to a Log Analytics workspace.

Connectivity Problems

IPsec/IKE negotiation failures

Typical error codes:

ikev2-error: 0x8009030C - Invalid credentials
ikev2-error: 0x8009030D - Invalid certificate

Steps to resolve:

  1. Verify shared secret or certificates are identical on both ends.
  2. Check the Azure VPN gateway and on‑premises device use the same IKE version (IKEv1 or IKEv2).
  3. Ensure the required ports (UDP 500, UDP 4500) are allowed through firewalls.
  4. Use az network vpn-connection show to confirm the connection status.

Routing Issues

If traffic is not flowing as expected, check the following:

  • Effective routes on the VM (see Diagnostic Tools).
  • Network Security Group (NSG) rules – ensure inbound/outbound allow rules for VPN traffic.
  • Uplink VPN type (PolicyBased vs RouteBased) matches your on‑prem configuration.
  • Propagation of BGP routes (if using BGP). Use az network vnet-gateway show-bgp-peer-status.

Performance Tuning

To improve throughput and latency:

  1. Choose the appropriate gateway SKU (VpnGw1, VpnGw2, VpnGw3, etc.) based on expected traffic.
  2. Enable Accelerated Networking on the VMs that handle high‑throughput traffic.
  3. Use multiple tunnels (Active‑Active) for redundancy and load balancing.
  4. Monitor the GatewayLoad metric in Azure Monitor and scale up if needed.

FAQ

Why does my VPN gateway show Provisioning failed?
Check the diagnostic settings for provisioning errors. Common causes include insufficient quota or an unsupported combination of SKU and VNet size.
Can I use a custom DNS server with VPN Gateway?
Yes. Configure the DNS settings on the VNet and ensure the VPN client receives those settings via the VPN client configuration package.
How do I reset a VPN connection without recreating it?
Use az network vpn-connection reset to restart the tunnel while preserving the configuration.