Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,622 questions
Can´t ping P2P from P2S
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 89%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETF%3C/text%3E%3C/svg%3E)
Thomas Finbom
0
Reputation points
Hi,
I’m fairly new to working with VPN connections, so I might be missing something obvious here.
I have set up a VPN connection (P2P) to an external network. I can successfully ping this server from my virtual network via my virtual machine.
Now, I have configured a P2P connection to the same network as my virtual machine. Through this P2P connection, I can ping my VM, and the P2P connection does show a route to the P2P itself. However, I am unable to ping any IPs through the P2P connection.
I have tried adding custom routing in my VM without success and have also tested BGP, but that didn’t work either.
I also encountered an error when trying to ping from P2P to P2P (see below). However, I’m unsure what might actually be causing the issue.
Packet drop is detected
Diagnose connectivity issues related to Packet drop Azure VPN gateway has detected packet drops at 1/20/2025 10:14:58 PM. Detailed information: [Source] 10.0.x.x:0 [Destination] 192.68.x.x:0 [Protocol] 1. Recommended Steps This issue occurs due to one of the following reasons:
- On-premises devices refused the Quick Mode (QM) or the devices have restrictions on supporting multiple QMs.
- Traffic selectors don't match between Azure VPN gateway and on-premises device: ensure your IPsec configurations on the on-premises device is compatible with Azure VPN gateway.
- A corresponding tunnel for the traffic may not be connected: ensure the connections are shown in Connected state. If the connections are not connected, try to troubleshoot the connections from Azure portal.
(10.0.x.x is my P2S and 192.68.x.x is the VPN connection (P2P).)
**
And yes, I don’t have any Firewall or NSG enabled at the moment.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Ganesh Patapati 3,135 Reputation points Microsoft Vendor2025-01-21T21:53:08.3466667+00:00 Greetings!
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
It appears that you are encountering problems with your Point-to-Site (P2S) VPN connection to an external network, specifically with packet drops and connectivity issues.
- Can I get Network Diagram to understand what kind of connection you are trying here.
Meantime,
- If the on-premises device is rejecting Quick Mode, please review the IPsec configuration on the device. Confirm that it supports multiple Quick Modes if multiple tunnels are in use.
- Please verify that the local and remote subnets are accurately matched and aligned.
- Use tracert to trace the path packets take to their destination. This can assist in pinpointing where packet loss is occurring.
- Verify that the IPsec/IKE settings on your on-premises device match those required by Azure. Mismatched settings can lead to packet drops and connectivity issues.
- kindly share me the screenshot of the Ping test.
Hope this helps.
Please let us know if we can be of any further assistance here.
Thanks,
Ganesh
-
Ganesh Patapati 3,135 Reputation points Microsoft Vendor
2025-01-22T21:49:34.8033333+00:00 Hello Thomas Finbom
Good day!
Could you please review the last comment and provide the necessary information to continue the discussion?
If you need any further assistance, please feel free to reach out. We are happy to help.
Regards,
Ganesh
-
Thomas Finbom 0 Reputation points
2025-01-23T09:14:04.33+00:00 Hello, thank you for your response!
As I mentioned, I am fairly new to Azure, and I can't seem to find a Network Diagram. The only thing I can find is under Virtual Network -> Diagram, but it only shows my subnets. Could you help clarify?
- As the external network is managed by another company, I have contacted their network administrator and asked them to confirm whether their VPN gateway supports multiple Quick Modes.
(EDIT): Got this answer: "The firewall ASA is supporting multiple s2s tunnels". - On the Azure side, I have correctly configured the local network gateway with the relevant address space for the external network. The subnets on my side do not overlap with the external network, and I have ensured that routing is correctly set up.
- Traceroute gives nothing (when i am connected with p2s):
traceroute to 192.68.x.x (192.68.x.x), 64 hops max, 40 byte packets 1 * * * - I have verified that the IPsec/IKE settings on our on-premises device match those required by Azure. The configurations are aligned. Additionally, I have confirmed that the same settings are applied to our P2S connection as well.
- Ping gives nothing (when i am connected with p2s):
PING 192.68.x.x (192.68.x.x): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 ^C --- 192.68.x.x ping statistics --- 4 packets transmitted, 0 packets received, 100.0% packet loss - As the external network is managed by another company, I have contacted their network administrator and asked them to confirm whether their VPN gateway supports multiple Quick Modes.
-
Ganesh Patapati 3,135 Reputation points Microsoft Vendor
2025-01-23T18:45:21.08+00:00 Hello Thomas Finbom
We appreciate your patience!
I need bit more information
- Is the on-premises firewall policy-based or route-based?
- Are you using any specific policies or traffic selectors?
- In the Azure local network gateway, is the [use policy-based traffic selectors] option enabled?
- If you are using a policy-based VPN, please ensure that the traffic selectors are set for both P2P and P2S ranges in both Azure and the on-premises firewall.
- When pinging the P2P machine from a P2S machine, please monitor the traffic in the intermediate hops.
Regards,
Ganesh
-
Thomas Finbom 0 Reputation points
2025-01-23T20:10:45.6933333+00:00 Thanks again
- On-premises is policy-based.
- Yes, I use traffic selectors to be able to connect with Vpn Connection P2P.
- [use policy-based traffic selectors] is enabled, yes.
- The on-premises firewall is currently only allowing traffic from my NAT VM’s IP.
- This goes in a loop in my P2S when I ping the P2P:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on utun4, link-type NULL (BSD loopback), snapshot length 524288 bytes 21:07:02.493630 IP 10.0.x.x > evry-owned-address-192_68_x_x.hidden-host.evry.com: ICMP echo request, id 62286, seq 0, length 64 21:07:03.498834 IP 10.0.x.x > evry-owned-address-192_68_x_x.hidden-host.evry.com: ICMP echo request, id 62286, seq 1, length 64
Sign in to comment
Sign in to answer