When connecting your on-premises environment to Microsoft Azure, you rely heavily on VPN Gateways or ExpressRoute circuits. But what happens when that connection fails or performs poorly?
In this detailed guide, we’ll explore common Azure connectivity issues, causes, and step-by-step troubleshooting solutions.
We’ll also include a detailed table for quick reference — so you can quickly identify and fix problems affecting your Azure on-premises connectivity.
Why is On-Premises Connectivity Critical in Azure Architecture?
Seamless connectivity between Azure and on-premises is essential for hybrid cloud success. Businesses rely on:
-
Access to critical apps hosted in Azure
-
Site-to-site VPN connections for disaster recovery
-
ExpressRoute circuits for dedicated, low-latency links
-
Extending Active Directory into Azure
-
Running hybrid Kubernetes clusters (AKS Hybrid)
When VPNs or ExpressRoute connections break, it can cripple production systems, delaying operations and damaging customer trust.
Thus, troubleshooting on-premises connectivity with Azure becomes a vital skill for IT professionals and cloud architects.
Common Symptoms of Azure On-Premises Connectivity Problems
-
VPN tunnel not connecting
-
Packet loss between Azure and on-prem
-
Frequent VPN disconnects
-
ExpressRoute peering down
-
BGP routes missing
-
Specific Azure VM unreachable
-
Slow data transfer speeds between sites
-
Clients unable to connect via Point-to-Site VPN
Troubleshooting On-Premises Connectivity with Azure: Detailed Table
To help you systematically troubleshoot, here’s a detailed table covering problems, possible causes, and detailed solutions:
| Problem | Possible Cause(s) | Detailed Solution |
|---|---|---|
| VPN Tunnel is not connecting | – IPsec/IKE policy mismatch – Incorrect shared key – Gateway subnet misconfiguration |
– Verify encryption settings. – Confirm shared key matches. – Check GatewaySubnet IP range. |
| Frequent VPN Tunnel Drops | – DPD misconfigured – Unstable Internet – Low VPN Gateway SKU |
– Correct DPD settings. – Verify Internet connection. – Upgrade VPN Gateway SKU. |
| Traffic not passing through VPN | – Incorrect NSG – Missing routes – Firewall blocking IPsec traffic |
– Allow IPsec ports. – Add proper routes. – Check firewalls on both ends. |
| Point-to-Site VPN clients cannot connect | – Wrong VPN client settings – Missing authentication server config – Unsupported VPN SKU |
– Reinstall VPN client. – Validate authentication settings. – Upgrade VPN Gateway if needed. |
| ExpressRoute Circuit Not Working | – Circuit not provisioned – BGP not established |
– Confirm provider provisioning. – Validate BGP settings (ASN, IP prefixes). |
| ExpressRoute Peering Down | – VLAN ID mismatch – IP addressing issues – BGP mismatch |
– Correct VLAN IDs. – Use correct /30 IP addresses. – Match BGP ASN. |
| BGP Route Advertisement Issues | – Incorrect prefixes – Filtering errors – Overlapping IPs |
– Advertise correct ranges. – Review route filters. – Ensure non-overlapping address spaces. |
| Slow Connectivity | – Internet routing – Bandwidth limits – ISP latency |
– Route through ExpressRoute. – Upgrade bandwidth. – Work with ISP. |
| Unable to Reach Azure Subnets/VMs | – Missing route propagation – NSG blocking traffic – Firewall blocking |
– Enable route propagation. – Review NSGs and firewalls. |
| Phase 1/Phase 2 Negotiation Failure | – Encryption mismatch – Incorrect network definitions – NAT issues |
– Match IPsec/IKE settings. – Validate address spaces. – Enable NAT-T if necessary. |
| SA Expiry Issues | – Short SA lifetimes – Device bottlenecks |
– Increase SA lifetimes. – Monitor and upgrade devices if needed. |
| Azure VM cannot initiate traffic to on-premises | – Asymmetric routing – Bad UDRs |
– Validate routes. – Ensure symmetric traffic flow. |
| Packet Loss on VPN | – MTU issues – ISP packet drops – High VPN device CPU usage |
– Adjust MTU. – Test link quality. – Monitor device performance. |
Advanced Azure VPN Troubleshooting Techniques
When basic checks don’t resolve your VPN connectivity problems, move to advanced techniques:
1. Use Azure Network Watcher:
-
Run Connection Troubleshoot to test reachability from Azure to on-prem.
-
Perform Packet Captures on VPN Gateway to analyze traffic.
2. Review VPN Gateway Metrics:
-
Monitor
TunnelConnected,TunnelBandwidth, andTunnelReconnects. -
High reconnect rates may indicate unstable tunnels or Internet outages.
3. Enable and Analyze Resource Logs:
-
VPN Gateway diagnostic logs reveal negotiation failures, traffic flow anomalies, and DPD events.
Common ExpressRoute Troubleshooting Techniques
For ExpressRoute issues:
1. Check Provisioning State
-
The ExpressRoute circuit must show “Provisioned” in the Azure Portal.
2. Validate BGP Peering:
-
Ensure:
-
Correct BGP ASN
-
Correct subnet sizes (point-to-point /30 or /31)
-
BGP session established with provider
-
3. Review Microsoft Peering/Private Peering
-
Validate advertised prefixes.
-
Check if NAP (Network Access Point) provider is announcing your routes.
Best Practices to Avoid Connectivity Issues in Azure
-
Design for High Availability:
-
Deploy Active-Active VPN Gateway for redundancy.
-
Use dual ExpressRoute circuits (two providers).
-
-
Document Your Configurations:
-
Keep configuration backups for VPN devices.
-
Record encryption policies, route tables, BGP ASN numbers.
-
-
Monitor Proactively:
-
Set up Azure Monitor alerts for:
-
VPN Tunnel Down events
-
BGP Session Down
-
High bandwidth usage
-
-
-
Keep Firmware Updated:
-
VPN device vendors (Cisco, Fortinet, Palo Alto) regularly release critical updates for IPsec/IKE standards.
-
Common Azure VPN Gateway SKUs and Their Features
| SKU | Max Tunnels | Aggregate Throughput | Supports ExpressRoute? |
|---|---|---|---|
| Basic | 10 | ~100 Mbps | No |
| VpnGw1 | 30 | ~650 Mbps | No |
| VpnGw2 | 30 | ~1 Gbps | No |
| VpnGw3 | 30 | ~1.25 Gbps | No |
| VpnGw4 | 100 | ~5 Gbps | No |
| VpnGw5 | 100 | ~10 Gbps | No |
Pro Tip: Always use at least VpnGw2 for production VPNs, and VpnGw3+ for hybrid environments with critical workloads.
When Should You Contact Microsoft Support?
Open a support case when:
-
VPN or ExpressRoute status shows “Unhealthy” for over 30 minutes.
-
BGP session repeatedly drops even after verifying settings.
-
Tunnel connects but application traffic consistently fails.
-
Diagnosing deeper Azure backend issues is needed.
Frequently Asked Questions (FAQs) about Troubleshooting On-Premises Connectivity with Azure
1. Why is my Azure VPN connection not working?
Your Azure VPN connection might not work due to IPsec/IKE mismatch, wrong shared key, misconfigured route tables, or incorrect NSG (Network Security Group) settings. Always verify your VPN device configuration matches Azure’s requirements and ensure correct address spaces are defined.
2. How do I troubleshoot Azure ExpressRoute connectivity issues?
To troubleshoot ExpressRoute, check the circuit provisioning status, validate BGP peering settings, verify VLAN IDs, and inspect advertised prefixes. Use Azure Portal diagnostics and your provider’s NOC (Network Operations Center) to ensure both ends are properly configured.
3. What ports should be open for Azure VPN to work?
The following ports must be open:
-
UDP 500 (IKE)
-
UDP 4500 (IPsec NAT Traversal)
-
IP protocol 50 (ESP traffic)
Ensure these ports are allowed through any firewalls, both on-premises and in Azure NSGs.
4. How can I check VPN tunnel status in Azure?
You can check VPN tunnel status by:
-
Navigating to the Azure VPN Gateway resource
-
Viewing the Connections blade
-
Monitoring the tunnel health under “Status” (Connected/Disconnected)
You can also use Azure Network Watcher to perform connection troubleshooting tests.
5. What is the difference between Azure VPN and ExpressRoute?
Azure VPN uses the public Internet with encrypted IPsec tunnels for connectivity, while ExpressRoute provides a private, dedicated link between your on-premises environment and Azure through a network provider, ensuring lower latency and higher reliability.
6. How can I fix packet loss in Azure VPN connection?
To fix packet loss:
-
Adjust MTU size (usually set to 1400 bytes for VPN)
-
Monitor VPN device CPU and memory usage
-
Verify your ISP link stability
-
Use Azure Network Watcher Packet Capture to diagnose issues
7. What is BGP and why is it important for Azure ExpressRoute?
BGP (Border Gateway Protocol) automatically exchanges routing information between Azure and your on-premises network over ExpressRoute. It ensures dynamic routing and failover without manual route updates, which is crucial for hybrid environments.
8. What happens if the Azure VPN Gateway SKU is too small?
If your Azure VPN Gateway SKU is undersized, you may experience:
-
Bandwidth bottlenecks
-
Frequent disconnections
-
Inability to support required tunnels
Upgrading to a higher SKU like VpnGw2 or above solves capacity and performance problems.
9. Why can’t my on-premises servers reach Azure VMs after setting up VPN?
If on-premises servers can’t reach Azure VMs:
-
Verify UDRs (User Defined Routes) are correctly set.
-
Ensure route propagation is enabled.
-
Check that Azure NSGs and on-premises firewalls allow traffic both ways.
10. How do I monitor Azure VPN Gateway performance?
Monitor Azure VPN Gateway performance by:
-
Checking metrics like
TunnelConnected,TunnelBandwidth,TunnelReconnectsvia Azure Monitor -
Setting up alerts for tunnel downtime or high latency
-
Using Network Watcher for packet-level diagnostics
Conclusion
Troubleshooting on-premises connectivity with Azure requires a structured approach — from basic VPN configuration checks to advanced BGP and ExpressRoute troubleshooting.
Always start by checking simple issues (like IPsec policies, NSGs, routes) and then move to more complex diagnostics with Azure Network Watcher and Resource Logs.
By using the troubleshooting table provided above and implementing proactive monitoring, you can ensure stable, high-performance hybrid connectivity between Azure and your on-premises datacenter.
Want to Master Azure Networking?
Bookmark this page for future reference, and subscribe to our newsletter for more Azure deep-dives, tutorials, and troubleshooting guides!