If your Azure VPN connection was functioning properly and suddenly stopped working, leaving it in a down state, follow these steps to identify and resolve the issue:
1. Validate Your On-Premises Device
Check if your on-premises device is a validated device with a supported OS version by Azure. Refer to the list of validated devices here: https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/#validated-vpn-devices
If the device is not listed as validated, it may still work, provided it meets all IP security requirements. However, compatibility is not guaranteed.
2. Validate On-Premises Device Configuration
Ensure that your on-premises VPN device is configured correctly according to known good configurations. Refer to Azure’s documentation on: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#editin
Download a “validated VPN device configuration template” specific to your VPN device. This template includes the exact syntax and parameters required for your device. Apply the script to your device accordingly.
Find the template download instructions in the official documentation.
(https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-download-vpndevicescript)
Ways to download the configuration template:
From the Azure portal: Navigate to the connection object and select Download Configuration.
Using PowerShell:
$RG = “TestRG1”
$GWName = “VNet1GW”
$Connection = “VNet1toSite1”
# List available VPN device models and versions
Get-AzureRmVirtualNetworkGatewaySupportedVpnDevice -Name $GWName -ResourceGroupName $RG
# Download the configuration script for the connection
Get-AzureRmVirtualNetworkGatewayConnectionVpnDeviceConfigScript -Name $Connection -ResourceGroupName $RG -DeviceVendor Juniper -DeviceFamily Juniper_SRX_GA -FirmwareVersion Juniper_SRX_12.x_GA
3. Validate Azure Gateway Type (Policy-Based vs. Route-Based)
Ensure the correct gateway type is configured:
- Route-Based Gateway: Uses IKEv2.
- Policy-Based Gateway: Uses IKEv1.
Check the ikepacketlogstable to verify if IKEv1 or IKEv2 packets are being sent. If IKEv1 packets are being sent instead of IKEv2, reconfigure your device to use IKEv2 or download the script from the portal.
4. Reset the VPN Connection
Through the Azure Portal.
Using PowerShell – ARM Model:
$gw = Get-AzureRmVirtualNetworkGateway -Name VNet1GW -ResourceGroup TestRG1
Reset-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $gw
Using PowerShell – Classic Model:
- Reset-AzureVNetGateway VnetName ContosoVNet
- Reset the tunnel on your on-premises device as well.
5. Validate the Pre-Shared Key (PSK)
Fetch the PSK from your on-premises device and compare it with the Azure Gateway configuration:
In ARM (Portal): Navigate to Connections > Connection Name > Shared Key.
In PowerShell (ARM):
Get-AzureRmVirtualNetworkGatewayConnectionSharedKey -Name <ConnectionName> -ResourceGroupName <ResourceGroupName>
In PowerShell (Classic):
The connection name displayed in the portal may differ from the Local Network Site Name. Example: If the connection name is “TestConnection,” the Local Network Site Name might appear as “6DAB0838_TestConnection.”
# Get all connections
Get-AzureVNetConnection -VNetName <VnetName>
# Get the shared key for a specific connection
Get-AzureVNetGatewayKey -VNetName <VnetName> -LocalNetworkSiteName <LocalNetworkSiteName>
# Update the shared key
Set-AzureVNetGatewayKey -VNetName <VnetName> -LocalNetworkSiteName <LocalNetworkSiteName> -SharedKey <Key>
6. Validate VPN Peer IPs
Ensure the IP definitions match:
- The Local Network Gateway object in Azure must match the on-premises device IP.
- The Azure Gateway IP configuration on your on-premises device must match the Azure gateway IP.
Note: If the external interface of your VPN device is behind a NAT or firewall, it will be in an unsupported state. Ensure the device is directly connected to the internet.
7. Validate Subnets for Policy-Based Gateways
Ensure the subnet definitions match exactly:
- Between the Azure Virtual Network and the on-premises network.
- Between the Local Network Gateway and the on-premises network.
After performing these steps, your VPN connection should come back up.
In my next post, I will discuss limitations associated with Azure Gateways, such as policy-based configurations with multiple tunnels.
Thanks for reading! Kindly share your thoughts.
