![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 43%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETD%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,659 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Greetings!
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
Routing Issues on On-Prem or Azure Side.
- Check if the on-premises routes are properly set to send traffic to Azure via the VPN tunnel.
- In Azure, ensure User-Defined Routes (UDR) are not forcing traffic elsewhere (e.g., sending 10.2.0.0/16 traffic to another appliance).
- If you're testing with an Azure VM, ensure IP forwarding is enabled on the NIC if the VM is acting as a router.
Azure NSG or On-Prem Firewall Blocking Specific Traffic.
- Use a diagnostic flow tool in Azure Network Watcher to check where packets are getting dropped.
Status "Connected" - traffic not flowing:
- Check for and remove the user-defined routing (UDR) and network security groups (NSGs) on the gateway subnet and then test the result. If the problem is resolved, validate the settings that UDR or NSG applied. A user-defined route on the gateway subnet may be restricting some traffic and allowing other traffic. This makes it appear that the VPN connection is unreliable for some traffic, and good for others.
- Check the on-premises VPN device external interface address.
- If the internet-facing IP address of the VPN device is included in the Local network definition in Azure Stack Hub, you might experience sporadic disconnections.
- The device's external interface must be directly on the internet. There should be no network address translation or firewall between the internet and the device.
- To configure firewall clustering to have a virtual IP, you must break the cluster and expose the VPN appliance directly to a public interface with which the gateway can interface.
- Verify that the subnets match exactly.
- Verify that the virtual network address space(s) match exactly between the Azure Stack Hub virtual network and on-premises definitions.
- Verify that the subnets match exactly between the Local Network Gateway and on-premises definitions for the on-premises network.
Refer: https://stackoverflow.com/questions/40134015/azure-site-to-site-vpn-does-not-let-traffic-through
If everything appears correct, restart the VPN connection on both ends.
If issues persist, please share the below details
- Run a trace route from an Azure VM to an on-prem VM and vice versa to identify where packets drop.
- Check Azure VPN Gateway diagnostic logs for dropped traffic reasons.
- Capture packets on both ends to see if traffic is reaching Azure and whether replies are sent but lost.
I hope this has been helpful!
If above is unclear and/or you are unsure about something add a comment below.
Your feedback is important so please take a moment to accept answers. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.