Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,361 questions
Azure S2S VPN connection ot establishing - no traffic between gateways
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 9%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
CMCosta
1
Reputation point
I'm trying to troubleshoot connectivity issues between an Azure VPN gateway and a local gateway. TL;DR: no traffic incoming from Azure to local gateway, how to troubleshoot?
Followed all the steps in the manual:
- create vNet with GatewaySubnet (w/ proper subnets, no issues here)
- create Virtual Network Gateway, attach to vNet and Public IP
- create Local Network Gateway, define subnets accordingly.
- create connection between sites, establish secret.
- add a VM on vNet to test.
- ... connection does not establish. Local router shows "establishing", Azure says "The connection cannot be established because the other VPN device is unreachable".
Checked with Network Watcher / VPN Troubleshooter, IP Flow, et al and no clue. Gateways seem to not reach each other across the Internet.
Try with establishing same setup, but with a S2S between 2 azure regions using two Virtual Network Gateways. Same results! Rule out problems with local circuit or local router.
Break out Wireshark, go back to original Azure<->Local setup, check what's going on on the local router side. Result: no packets arriving from Azure public IP assigned to virtual gateway. Connection attempts (ISAKMP) from the local router get no replies from Azure. Looks like the Azure gateway does not reach the local router, maybe even the internet, but Azure tools can't give any insight on this (they can only go so far).
Tried different regions, different SKUs for the gateway, to no avail, seems like an issue with my config (can't see where I could've missed anything, tried 10x), a provisioning issue with gateways (on all regions? hmmm....not likely) or a problem with my subscription (?)...
Any clues?
{count} votes
-
suvasara-MSFT 9,996 Reputation points2020-10-01T04:27:38.43+00:00 Is there any firewall between Azure VPN gateway and on prem device? and, to which VPN device are you trying to connect? are you using any deployment scripts?
Please do check the Internet connectivity too. -
CMCosta 1 Reputation point
2020-10-01T11:37:36.24+00:00 Checked all that and more. As I wrote, a S2S VPN between 2 vNets is also not working. Today, I created a S2S (Vnet2Vnet) between two vNets in the same Azure location (e.g. North Europe) and it also does not work, with the exact same error - gateways do not reach each other.
There is no firewall between the two vNets in the same location.Scripts used for consistency and repeatability, based on the following:
-
suvasara-MSFT 9,996 Reputation points
2020-10-02T07:27:10.28+00:00 @CMCosta , Looks strange. Also, as a last check before providing support can you please check the below list,
- You can't have overlapping IP address ranges between VNET's.
- You cannot connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type. Both virtual networks MUST use route-based (previously called dynamic routing) VPNs.
- You can't use a PolicyBased VPN type for VNet-to-VNet or Multi-Site connections. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called dynamic routing) VPN types.
-
suvasara-MSFT 9,996 Reputation points
2020-12-04T09:43:25.997+00:00 @CMCosta ,
If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.
Best regards
Subhash
Sign in to comment