Share via

Azure <-> AWS VPN Tunnel - Packets Dropped due to Traffic Selector Mismatch

Andrew Bates 45 Reputation points
2026-02-23T14:53:02.0466667+00:00

I'm getting a Packets Dropped due to "Traffic Selector Mismatch" on a VPN tunnel between Azure and AWS. We've spent hours comparing the configurations on each side but continue to get the error. We could really use some assistance in getting to the bottom of it.

The tunnel is up, and I can see traffic getting to my server. I get a "SYN_RECEIVED" when I run netstat, and it looks like the traffic is leaving my VM, but not getting out of the VPN gateway to the other side of the tunnel.

I have run the VPN troubleshooter but the only error messages I see are below:
Ingress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets

Egress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 620 Packets

We have other tunnels that are working fine

Here is an overview of our configuration:

Azure side:

  • Gateway: VpnGw1, Route-based
  • Gateway public IP: 40.####
  • Local network gateway pointing at AWS: 52.####, address space PII
  • Azure VNet subnet: PII
  • IPsec policy: AES256/SHA256, DHGroup2, PFS2, phase 2 lifetime 1440 seconds

AWS side:

  • Customer Gateway IP: PII (our Azure gateway)
  • Remote network: PII
  • Local network: PII
  • Two tunnel endpoints, we are using 52.#### (same IP as above)
  • Phase 1 lifetime: 28800, phase 2 lifetime: 1440

I'm really stuck here and could use any type of help I can get. I am very confident that our configurations match. I'm curious if there are other logs in Azure that could help us figure out why the traffic isn't leaving our gateway.

Thanks,

Andrew Bates

Azure VPN Gateway
Azure VPN Gateway

An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.

Answer accepted by question author

Vallepu Venkateswarlu 9,335 Reputation points Microsoft External Staff Moderator
2026-02-23T16:08:24.66+00:00

Hi @ Andrew Bates,

Welcome to Microsoft Q&A Platform.

As discussed, after reviewing the logs you shared, the issue is on the AWS side and not within Azure

Azure VPN Gateway is behaving as expected. The configuration initially proposed from the Azure side included wildcard traffic selector pairs (TSI), which is supported and valid behavior for Azure VPN Gateway.

However, on the AWS side, the configuration is advertising 10.xxx.0.0/16, whereas the expected prefix is 10.xx.0.0/24.

This prefix mismatch is causing the traffic selector negotiation issue.

To resolve this, please update the AWS configuration to either:

  • Use the specific subnet 10.x.1.0/24, or
  • Configure wildcard traffic selector pairs to align with Azure’s proposal.
  • Once the traffic selectors match on both sides, the tunnel should establish correctly.

If still facing an error you can also try to reset the VPN Gateway by following: https://learn.microsoft.com/en-us/azure/vpn-gateway/reset-gateway

Refer the link for same kind of issue: https://learn.microsoft.com/en-us/answers/questions/5781274/site-to-site-vpn-connectivity-issue

Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Was this answer helpful?

1 person found this answer helpful.
0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.