Site-to-Site VPN Connection Status Changes to Unknown

Hidaya El Habti 20 Reputation points
2024-11-20T18:58:07.02+00:00

Hello,

I set up a Site-to-Site VPN connection from an Azure VNET to an on-premise network to access a private SMS gateway, following this tutorial: Site-to-Site VPN Gateway Setup.

Here’s the setup:

  • The on-premise VPN device is supported.
  • The local network gateway is configured with the VPN device's public IP and two address ranges: sms-gateway-private-ip-1/32 and sms-gateway-private-ip-2/32.

The connection was working fine with a status of Connected. However, it suddenly changed to Unknown.

Troubleshooting details:

  1. Connection stats show:
    • Ingress Packets Dropped due to Traffic Selector Mismatch: 0 Packets
      • Egress Packets Dropped due to Traffic Selector Mismatch: 0 Packets
      1. VPN Gateway Resource Health reports:

      At 05:40 PM, Wednesday, 20 November 2024 UTC, the Azure monitoring system received the following information regarding your VPN connection: The connection cannot be established because the other VPN device is unreachable. If the on-premises VPN device is unreachable or not responding to the Azure VPN gateway IKE handshake, the VPN connection cannot establish.

When we restarted the IPSec tunnel on the on-premise VPN device, the connection briefly showed Connected but reverted to Unknown shortly afterward.

Question:

  • What could be causing this issue, and how can I resolve it?
  • Are there additional diagnostics or configurations I should check on either the Azure side or the on-premise VPN device?

Any guidance would be greatly appreciated!

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,580 questions
{count} votes

Accepted answer
  1. Sai Prasanna Sinde 1,890 Reputation points Microsoft Vendor
    2024-11-29T15:19:43.6133333+00:00

    Hi @Hidaya El Habti,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: Site-to-Site VPN Connection Status Changes to Unknown

    Solution:

    Op has raised a Microsoft support ticket to resolve the issue.

    Summary:

    From azure side, all the configuration seems fine and doesn't have any issues.

    IKE logs error message: (Error)[Remote] 151.253.176.240:500 [Local] 20.174.67.224:500 [SESSION_ID] {9c7e2af6-8aa6-4b27-b127-3c3dc966bb82} [ConnType] IKEv2-S2S [ICookie] 0x422029F0DFF1D75D [RCookie] 0x0 [TunnelId] 0x1 [IkeEvent] SA_NEGOTIATION_FAILED For [SA_type] MM_SA [SAEstablished] false [SA_CREATION_DIRECTION] Outbound [FailureDirection] Outbound [ErrorCode] 0x35ED [ErrorMessage] Negotiation timed out

    The above logs share by you suggests a negotiation timeout, indicating that the opposing device has not responded, leading to a timeout on Azure's side.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-site-to-site-error-codes#negotiation-timed-out-error-code-13805-hex-0x35ed

    This issue is related to on-premises services, and we handle only Azure-related issues. Kindly reach out to your on-premises device vendor for further assistance if required.

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members

    Thanks,

    Sai.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.