SSH to Azure VM suddenly stopped working, VM is healthy and NSGs allow traffic

Question

I’m running into a frustrating issue with an Azure Linux VM:

VM was working fine via SSH a couple of days ago.

• Now, SSH from the public fails: TCP connect failed.
• NIC NSG is set to Allow Any → Any.

Subnet NSG: none attached.

Public IP is correctly associated with the NIC.

• VM shows SSH daemon (sshd) is listening on port 22 internally
  No route table or firewall appears to block traffic.
• VM restart has been attempted, but SSH still fails externally.

Has anyone seen this happen where SSH stops working despite all NSGs, subnet, and VM settings being correct? What are the next steps to diagnose why the packets aren’t reaching the VM from the public internet?

Answer 1

Hello @TedNjiru

I completely understand how frustrating it can be when working VM breaks in between and troubleshooting also doesn't help to fix the issue, from the overview it seems like you have already tried the basic SSH troubleshooting guide: https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/troubleshoot-ssh-connection#quick-troubleshooting-steps (this includes resetting SSHD, reset credentials for ssh user, rebooting, redeploying, stop+start for the VM)

I'm listing out few more troubleshooting steps, kind review them in case not reviewed already:

1. Verify if the Agent is in Ready state (Goto Azure Portal -> Virtual Machines -> Impacted VM -> Settings -> Properties -> Look for Agent Status (it should show status as "Ready").
2. Since you already have reviewed Networking options and didn't find any issue.
   It'll be helpful if you could try "IP flow verify" in the Network Watcher.
   This will help to find out if a packet is allowed or denied to or from an Azure virtual machine based on the configured security and admin rules.
   Refer here for more info ->https://learn.microsoft.com/en-us/azure/network-watcher/ip-flow-verify-overview
3. Check Boot Diagnostics: Check Screenshot of the VM, this will help to know if OS is booting up in the VM or if it's throwing any error.
   How to check it : Goto Azure Portal-> Virtual Machines -> Impacted VM -> Under Help -> Boot Diagnostics -> Screenshot

For my working VM, it shows something like below:

1. If OS is not booting you can check Serial log to see what error messages show up when the OS is not booting. (Option right of Screenshot)
2. If OS is booting then you can try to connect to the VM using Serial Console.
   Where to find:- Goto Azure Portal -> Virtual Machines -> Impacted VM -> Help -> Serial Console.
3. After logging into the Serial Console, you can look for Guest OS firewall rules (for example if you are using Ubuntu, you can look for ufw firewall rules.
   See here: https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/ubuntu-ufw-guide?tabs=netstat#how-to-check-whether-a-port-is-closed-in-the-ubuntu-vm-with-ufw)

If none of the above steps help, please share results of all these steps, it'll help us to understand where SSH failing for you, and we can assist you further to fix the issue.

Additionally, could you please answer below queries to understand your setup for SSH:

1. Are you trying to login using local admin user with password configured for the VM or are you using Entra users to ssh to the VM?
2. Are you using some tool like Putty to SSH?
3. Are you trying to SSH from a local machine (if yes, try SSH from Azure Console or to connect VM using Bastion as well and see if it works), using command : ssh username@publicIP ?
4. Is your network part of some office network (this might have firewalls or routing rules defined or restrictions placed over the network, if yes try changing the network for your source machine as well)

Answer 2

It sounds like you've done a thorough job troubleshooting the SSH connection issue with your Azure Linux VM. Since the VM is healthy and the NSGs allow traffic, here are some additional steps you can take to diagnose the problem:

1. Reset the SSH Configuration: You can reset the SSH configuration to default values using the Azure portal or Azure CLI. This can help if there are any misconfigurations in the SSH settings.
   • In the Azure portal, select your VM, go to the Help section, and choose Reset password. Then select Reset configuration only.
   • Alternatively, you can use the Azure CLI command:

          az vm user reset-ssh --resource-group myResourceGroup --name myVM
     

2. Check Network Security Group (NSG) Rules: Even though you mentioned that the NSG allows traffic, double-check that there are specific inbound rules allowing SSH (TCP port 22) traffic. Ensure that there are no conflicting rules that might be blocking traffic.
3. Use IP Flow Verify: Utilize the IP flow verify feature in Azure to confirm if any NSG rules are blocking traffic to or from your VM. This can help identify if the packets are being dropped at the NSG level.
4. Check Routing: Use Network Watcher's Next hop capability to ensure that there are no routing issues preventing traffic from reaching your VM. This can help confirm that the traffic is being routed correctly.
5. Use the Azure VM Serial Console: If you have access to the Azure VM Serial Console, you can check the SSH daemon's configuration directly by running commands like:

      grep -i port /etc/ssh/sshd_config
   

   This will confirm that the SSH daemon is set to listen on the correct port.
6. Review VM Resource Health: Ensure that the VM reports as being healthy and that there are no underlying issues affecting its performance.
7. Redeploy the VM: If all else fails, you can consider redeploying the VM to a new Azure node, which may resolve any underlying networking issues. Note that this will reset the VM's ephemeral disk data and dynamic IP addresses.

By following these steps, you should be able to identify the cause of the SSH connectivity issue and take appropriate action to resolve it.