Share via

public ip PII not reachable using GSA but is reachable using MSFT-AzVPN-Manual

Jim Zelenka 20 Reputation points Microsoft Employee
2026-01-09T21:26:54.6333333+00:00

nb: the tags selected for this are bogus; I couldn't find a good match

My team has several Azure VMs in the CORP tenant that we use for various internal loads.

These are Linux VMs accessed via ssh.

To make them reachable, we've assigned them public IPs.

This works fine when connected to VPN MSFT-AzVPN-Manual, but some of the VMs are not reachable when using only GSA (Global Secure Access).

Example public address of a VM that works with both: PII

Example public address of a VM that is not reachable by GSA but is reachable with MSFT-AzVPN-Manual: PII

I filed for both addresses to be reachable via GSA, and that's when both became reachable using MSFT-AzVPN-Manual.

At least one other user has confirmed this behavior, so it seems unlikely to be a client-side problem.

I originally filed this issue with helpdesk as PII.

They informed me that they do not support this and that I must open a ticket with Azure Support.

I collected GSA logs per instructions, but the file is too large for the support tool.

I filled out the support request form three times, but that was rejected and I was redireted here.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
Answer accepted by question author
  1. Praveen Bandaru 10,095 Reputation points Microsoft External Staff Moderator
    2026-01-23T10:51:13.18+00:00

    Hello Jim Zelenka

    I have checked all your VM configurations, and everything is set up correctly. The Subnet and NIC level NSGs are also properly configured, and all VPN gateway routes are pointing to the internet, so everything appears fine on the Azure Networking side.

    When you connect using the MSFT VPN, you can communicate with both VMs. However, when using the GSA VPN, you can only connect to one VM. Based on my analysis, the issue is not with Azure Networking but seems to be related to the GSA VPN. Please reach out to the GSA team for further assistance.

    I have also found information on how to contact the GSA support team. Please use the link below to access tech support and submit your concern.

    Below is the link:

    Global Secure Access

    https://engage.cloud.microsoft/main/org/microsoft.com/groups/eyJfdHlwZSI6Ikdyb3VwIiwiaWQiOiI4OTQ3MTEifQ/all

    Please refer to the screenshot below for instructions on how to contact the GSA team:
    User's image

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkatesan S 3,645 Reputation points Microsoft External Staff Moderator
    2026-01-09T23:29:03.8433333+00:00

    Hi Jim Zelenka,

    Thank you for contacting the Microsoft Q&A portal.

    Test these on 128.xx.xxx.xxx (failing IP):

    Azure portal: IP flow verify > Source: your GSA public IP (check via whatismyip), Dest: 128.xx.xxx.xx, Protocol TCP port 22. Screenshot the drop reason.

    CLI: az network nic show-effective-security-group --resource-group <rg> --name <nic-name> --output table ensure inbound SSH allows from "Any" or Internet.

    VM shell: sudo ss -tuln | grep 22, sudo iptables -L -n -v, and sudo ufw status verbose (if UFW active).

    Could you let me know who handles the GSA setup in your environment? If you're not sure, no worries, perhaps reach out to your internal team who deployed the GSA client?

    Kindly let us know if the above helps or you need further assistance on this issue.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.