Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
ipsec tunnel configuration active-active
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 16%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Christian
0
Reputation points
I have an ipsec tunnel configured from azure to onprem. How do I enabled the second tunnel with the second ip address?
Christian
Azure VPN Gateway
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 23%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Vallepu Venkateswarlu 7,625 Reputation points Microsoft External Staff Moderator2026-03-23T14:55:20.3866667+00:00 Hi @Christian,
Welcome to Microsoft Q&A Platform.
It appears that your Azure VPN Gateway is configured in active-active mode (with two public IPs), but only one tunnel is showing as connected.
In active-active mode, Azure automatically establishes two IPsec/IKE tunnels (one from each gateway instance). However, your on-premises VPN device must also be configured to initiate or accept both tunnels.
Verify VPN Gateway Configuration: In the Azure portal, navigate to: VPN Gateway → IP Configurations and Confirm that you see two Standard SKU static public IP addresses
Check Connection Type:
- Ensure the VPN is route-based
- Active-active mode is **not supported for policy-based VPNs
Configure On-Premises Device for Second Tunnel:
On your on-prem VPN appliance:- Create a second IKE/IPsec tunnel pointing to the second Azure public IP
- Use the same:
- Pre-shared key (PSK)
- Phase 1 / Phase 2 settings
If Using BGP
- Configure two BGP peerings
- One for each Azure gateway instance
- Use the respective BGP peer IPs
Please "upvote" if the information helped you. This will help us and others in the community as well.
-
Christian 0 Reputation points
2026-03-23T15:11:35.5866667+00:00 How do I test that both tunnels are established? Where can I disabled one of the tunnels in azure to see if HA is working?
-
Christian 0 Reputation points
2026-03-23T15:21:17.8266667+00:00 see image. On the azure side, would I see both connections to onprem here? I already configured the second tunnel onprem but connection is not coming up.
-
Vallepu Venkateswarlu 7,625 Reputation points Microsoft External Staff Moderator
2026-03-23T15:44:23.07+00:00 How do I test that both tunnels are established?
As Stated in Verify a connection for VPN Gateway
In the Azure portal, go to your virtual network gateway.
- On the page for your virtual network gateway, click Connections. You can see the status of each connection.
Click the name of the connection that you want to verify. In Essentials, you can view more information about your connection.
The Status values are 'Succeeded' and 'Connected' when you have made a successful connection.Please "upvote" if the information helped you. This will help us and others in the community as well.
-
Christian 0 Reputation points
2026-03-23T16:09:48.5366667+00:00 when I try to update the PSK key I get the error on the top right.
-
Vallepu Venkateswarlu 7,625 Reputation points Microsoft External Staff Moderator
2026-03-24T11:27:18.8633333+00:00 Hi @Christian,
In an active-active Azure VPN Gateway configuration, each gateway instance is assigned a unique public IP address, and each instance establishes its own IPsec/IKE tunnel to the on-premises VPN device. However, both tunnels are logically grouped under a single VPN connection resource in Azure.
Even though two tunnels exist in active-active mode, Azure surfaces them as a single connection resource. Tunnel-level visibility and validation must be performed from the on-premises VPN device (e.g., ASA, SonicWall), not from Azure.
Ref: Active-standby mode behavior
If your gateway is in active-active mode, you'll see two public IP addresses listed, one for each gateway VM instance. When you create a site-to-site connection, you must specify each IP address when configuring your VPN device because both gateway VMs are active, follow the View public IP address
If you are getting an error while updating PSK Key , Please check the Prerequisites and follow the Create VPN connections
Please "upvote" if the information helped you. This will help us and others in the community as well.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Ganesh Patapati 11,915 Reputation points Microsoft External Staff Moderator2026-03-30T08:54:13.37+00:00 Hello Christian
Thanks for the reply!
I’ve started a private message with you. Please share the required details there so I can assist with troubleshooting.
Sign in to comment
Sign in to answer