question

tpy avatar image
0 Votes"
tpy asked GitaraniSharmaMSFT-4262 commented

VPN Gateway Health Probe unavailable

I'm setting up a Site to Site VPN between us and a customer. Both are in Azure.
Before doing this in Prod environment, I'm setting it up in Test back to my PAYG subscription to check process etc.

The VPN stays "Not Connected". Following the troubleshooting steps, it says at step 7 to check the health probe of the VPN gateway at https://<YourVirtualNetworkGatewayIP>:8081/healthprobe

This is where I'm stuck. It times out connecting. The VPN troubleshooter also provides similar suggestions as to unable to connect to other peer. This happens on both gateways (e.g. test and also my PAYG).

I have another site to site VPN set up at another customer, and I know what I should receive when calling that URL, and that customer works fine with a reply on the health probe.

Running the following, also fails with TimeOut.
test-netconnection -computername [my-virtual-network-gateway-up] -port 8081

I have teared it down, and recreated it with a different Public IP, and same response.
Also tested from seperate networks to rule out any firewalls etc. (e.g. tested from home and from office)

Suggestions welcome?


azure-vpn-gateway
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 ·

Hello @tpy ,

Apologies for the delay in response.

Could you please provide the below details for further investigation on this issue:

  1. Is there an NSG or UDR associated to the VPN GatewaySubnet?

  2. What is the SKU & region of the VPN gateway?

Regards,
Gita

0 Votes 0 ·
tpy avatar image tpy GitaraniSharmaMSFT-4262 ·

Hi,

  1. No, there is not an NSG or UDR associated to the GatewaySubnet

  2. SKU is Basic on both sides, - region is UKSouth on both side.

Thanks,





0 Votes 0 ·
GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 tpy ·

Hello @tpy ,

Thank you for the details.

The VPN gateway health probe failure usually happens due to NSGs applied on GatewaySubnet. Since that is not the case here, let us check the other configurations one by one to find the root cause of "Not connected" VPN status.

1) You mentioned that you are setting up a Site to Site VPN between you and a customer (Both are in Azure). So I believe the site to site (IPsec) VPN connection is configured between 2 Vnets, is that correct?
2) If yes, did you create local network gateways on both sides representing the other VNet as a local site?
Refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#site-to-site-ipsec
3) Are you using Route based VPN type or Policy based VPN type on your Basic SKU VPN gateways? Are they same on either side?
4) Is the Pre-shared key configured correctly on both side connections?
5) Are there any other Vnet peered/connected to these 2 Vnets with overlapping address spaces?

Regards,
Gita

0 Votes 0 ·

1 Answer

tpy avatar image
0 Votes"
tpy answered GitaraniSharmaMSFT-4262 commented

Hi Gita,

  1. Yes, correct - VNet to Vnet in Azure.

  2. Yes, created the LNG's

  3. Route Based. Yes, same on both sides

  4. Yes, Pre-Shared Key correct

  5. No peering and no overlapping address space.

Things progressed after the weekend, in that it just worked which is most odd, so assume it was something odd in the Azure world.
However, I would still like to know at what point is the Health Probe is available on https://<YourVirtualNetworkGatewayIP>:8081/healthprobe ? Is it only available when the VPN is connected?
I cannot find any documentation on this aspect of the VPN gateway, and all web search point me to ALG Health Probes. This would be most helpful.

I will mark this question answered, although sorry to future readers - there is not a root cause as to why it happened and how it was resolved.
In addition, this was purely a PoC before configuring it live for us and the customer. I am pleased to say this worked without any issue (and the health probe was available)

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 ·

Thank you for the update, @tpy. Glad to hear that the issue is now resolved.
VPN Health Probe is available on https://<YourVirtualNetworkGatewayIP>:8081/healthprobe only when the created VPN gateway is healthy and is able to reach the management controllers to function properly.

0 Votes 0 ·