Troubleshoot VPN Gateway

In this lesson you’ll learn a systematic, step-by-step approach to troubleshoot Azure VPN Gateway issues. Follow this checklist to quickly identify the root cause of connectivity failures or degraded performance between your on-premise network and Azure VNets. Below is a practical troubleshooting sequence. Each step explains what to check, why it matters, and links to deeper guidance.

Validate expected VPN throughput and gateway SKU

Confirm the chosen gateway SKU supports your required throughput — SKUs have different maximum throughput and concurrent tunnel characteristics. If throughput is lower than expected, measure end-to-end transfer rates between on-premises and Azure (for example, using iperf or similar tools).
Check for on-premises limitations: proxy devices, intermediate firewalls, ISP or local bandwidth caps, or simultaneous transfers that can affect observed throughput.

Example iperf test:

# Start iperf server on one side:
iperf3 -s

# Run test from the other side (sample 1-minute test):
iperf3 -c <server-ip> -t 60 -P 4

Use Azure Network Watcher to inspect network-level behavior

Use Azure Network Watcher to validate reachability, run connectivity checks, view next hops, and capture packets (where supported). This helps verify that traffic reaches the gateway and that replies return correctly.
For packet-level visibility and connection tracebacks, use Network Watcher’s packet capture and connection troubleshoot features:
- Connectivity checks and next hop: validate route decisions and forwarding.
- Packet capture: capture traffic to confirm IKE/IPsec negotiation or to inspect actual traffic flow.

Enable and analyze VPN gateway diagnostic logs

Enable diagnostic settings for the virtual network gateway and send logs to a Log Analytics workspace or storage account. Diagnostic logs report tunnel state changes, negotiation events, authentication failures, and rekey activity.
Analyze logs in Azure Monitor and Log Analytics to spot repeated negotiation failures, IKE Phase1/Phase2 mismatches, or frequent rekeying that indicate misconfiguration or instability.

Verify routing (UDRs) and network security groups (NSGs)

Ensure there are no conflicting User-Defined Routes (UDRs) that direct gateway traffic away from the gateway or intercept it unexpectedly. The gateway subnet must not contain UDRs that override the Azure-managed routes required for VPN operation.
Confirm NSGs do not block essential traffic. Allow the following common protocols and ports (see table below).

Common ports/protocols required for IKE/IPsec:

Protocol	Port / Identifier	Use case
UDP	500	IKE Phase 1 (ISAKMP)
UDP	4500	IPsec NAT-T (encapsulated ESP)
ESP	50 (protocol)	Encapsulated payload (IPsec ESP)
ICMP	—	Path MTU discovery and connectivity checks

Also ensure the gateway subnet is named exactly GatewaySubnet and is appropriately sized (Microsoft recommends at least /27 for most deployments depending on features).

Confirm on-premises device compatibility and configuration

Verify your VPN device model and firmware are supported and that configuration follows Microsoft’s sample templates and validated device list.
Check public IP addresses of peers — ensure Azure and on-premises sides point to the correct peer IPs. If NAT is used, ensure NAT-T is enabled and configured properly.

Check shared secret (PSK) and peer IP addresses

A mismatched pre-shared key (PSK) prevents tunnel establishment. Verify the PSK is identical on both sides and that the peer endpoint addresses match.
If certificates are used instead of PSK, validate certificate expiration, trust chain, and thumbprints.

Verify Perfect Forward Secrecy (PFS) and encryption policy agreement

Ensure both peers agree on the IKE/IKEv2 parameters: encryption algorithm, integrity/hash algorithm, Diffie-Hellman group (PFS), and lifetimes. A mismatch in these parameters will cause IKE to fail during negotiation.
Confirm the IKE version (v1 vs v2) is compatible with the Azure gateway SKU and configured consistently on both ends.

Check Azure gateway health and automated probes

Review the virtual network gateway status in the Azure portal for health warnings or errors. Azure uses internal health probes and will expose statuses for the gateway and tunnels.
If the gateway is reported unhealthy, review recent configuration changes, route or NSG changes, and diagnostic logs to find correlation with the outage.

Quick troubleshooting checklist

Check	Why it matters	Action
Gateway SKU & throughput	Ensure capacity meets needs	Validate SKU and run throughput tests (iperf)
Network Watcher checks	Confirms reachability and routing	Run connectivity checks and packet captures
Diagnostic logs	Shows negotiation failures & rekeys	Enable diagnostics to Log Analytics
NSGs & UDRs	May block or reroute VPN traffic	Verify `GatewaySubnet` is clean and NSGs allow IKE/IPsec
PSK & peer IP	Prevents tunnel establishment if wrong	Confirm PSK and peer endpoint addresses
IKE/PFS policies	Policy mismatch stops IKE	Align encryption, hashing, DH groups, lifetimes
Device compatibility	Unsupported models/configs fail	Use Microsoft-validated configs and firmware
Gateway health	Azure-side probe results	Check portal and correlate with logs

Enable gateway diagnostics as soon as you deploy the gateway. Diagnostic logs combined with Network Watcher captures greatly speed up root-cause analysis and provide historical context for intermittent issues.

Be sure the gateway subnet is named exactly GatewaySubnet and does not contain NSGs or conflicting UDRs that block IKE/IPsec traffic. Misconfigured subnet rules are a frequent cause of VPN failures.

Since the VPN gateway is not yet deployed in this article, once it is provisioned you can:

Enable diagnostics and streaming logs to a Log Analytics workspace.
Use Network Watcher connection troubleshoot and packet capture to verify traffic flow.
Configure the pre-shared key, IKE policies, and enable NAT-T or active-active mode if required.

Active-active mode: basic considerations

Active-active is used for high availability and to support multiple concurrent VPN tunnels whereby both gateway instances are active. When planning active-active deployments, ensure:
- You have multiple public IPs and routes configured.
- On-premises devices support multi-tunnel or route-based configurations.
- Load balancing and route advertisements are aligned with your architecture.

An eight-step checklist graphic for troubleshooting Azure VPN connections, with teal numbered circles and short action items arranged in two columns. Steps include validating VPN throughput, using Network Watcher and diagnostic logs, checking UDR/NSGs and gateway health, verifying shared keys and peer IPs, and confirming the on-premises device and perfect forward secrecy.

Links and references

Azure Network Watcher overview: https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview
Diagnostic settings: https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings
Log Analytics workspace: https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-workspace-overview
VPN device guidance and sample configurations: https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-devices

Use this checklist during incident response and regular health checks to reduce MTTR and improve the reliability of your Azure VPN Gateway connections.

Watch Video

Plan a VPN Gateway

Introduction

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

Troubleshoot VPN Gateway

Watch Video