Share via

Site-to-site VPN connection fails between two hub vnets in different region

Rajesh Swarnkar 1,116 Reputation points
2026-04-08T06:26:50.96+00:00

Hi, I am trying to implement this sample architecture to explore the Route server beahviour . But the S2S VPN connection keeps failing.

User's image

Architecture: User's image

On researching I got ot know that it is “old” way to peer networks. But now curious to know why the S2S Connection fails. Here is my Connection sesstings:

User's image

Azure VPN Gateway
Azure VPN Gateway

An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkatesan S 6,695 Reputation points Microsoft External Staff Moderator
    2026-04-08T09:23:00.53+00:00

    Hi Rajesh Swarnkar,

    Thanks for reaching out in Microsoft Q&A forum,

    Your S2S setup between two Azure VPN Gateways won't work it's using the wrong connection pattern. Here's the deal in plain English:

    You're building this:

    VPN Gateway (centralindia) > Local Network Gateway > Connection > VPN Gateway (southindia)

    Local Network Gateways tell Azure, "this is an on-premises VPN device." But you're pointing them at another Azure VPN Gateway. Azure's control plane goes, "Wait, where's the customer VPN appliance?" and the IPsec handshake fails silently hence "Unknown."

    Your Settings Are Fine, Architecture Isn't

    Your connection config looks good:

    • IKEv2 enabled
    • Default mode
    • BGP enabled (perfect for Route Server testing)
    • Standard PSK

    This isn't a config tweak issue; it's the wrong topology.

    Option 1: VNet-to-VNet Connections (Keeps IPsec)

    Delete your current connections. Recreate properly:

    1. vpng-centralindia > Connections > +Add > "VNet-to-VNet"     - Target: vpng-southindia directly (no LNG)
2. vpng-southindia > Connections > +Add > "VNet-to-VNet"    - Target: vpng-centralindia directly (no LNG)

    Option 2: Global VNet Peering (Recommended for Route Server)

    Simplest fix, no IPsec, pure Azure backbone:

    1. Delete both failing connections + both Local Network Gateways
2. Central VNet → Peerings → +Add → South VNet
   - Allow gateway transit: YES
3. South VNet → Peerings → +Add → Central VNet
   - Use remote gateways: YES

    Route Server shines with peering:

    • Central Route Server learns VPN Gateway routes → propagates to South via peering
    • South Route Server learns Central routes → full mesh automatically
    • No tunnel state to manage
    • BGP works end-to-end 
        On-Prem > Central VPN > Route Server > Peering > South Route Server > South VPN > On-Prem

    Go with peering since you're testing Route Server:

    1. Delete connect-central-to-south2 & connect-south-to-central2 
2. Delete Ing-in-centralindia & Ing-in-southindia (LNGs) 
3. Create bidirectional Global VNet Peering with gateway transit 
4. Watch Route Servers auto-propagate routes

    Official Docs:

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please do not forget to 210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. Q&A Assist
    2026-04-08T06:27:22.16+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The site-to-site VPN between the two hub VNets fails for the same reasons any Azure S2S tunnel fails: one or more of the core parameters on the two sides don’t match, or the gateway path is being blocked. Use the standard S2S troubleshooting flow to find the mismatch.

    Follow these checks end to end on both VPN gateways and both local network gateways:

    1. Reset both VPN gateways and tunnels
      First reset each Azure VPN gateway, then reset the tunnel from the opposite side. This clears stale state and is the recommended first step when a previously working or newly created tunnel won’t connect.
    2. Verify the VPN device type and configuration
      In this scenario, each Azure VPN gateway is effectively acting as the “device” for the other side. Ensure both gateways are route‑based and support IKEv2, and that no custom IPsec/IKE policy is applied on one side but not the other.
    3. Confirm the shared key is identical on both connections
      The pre‑shared key must match exactly on the two connections:
      • In the portal, open each connection and check the Authentication / Shared key.
      • Or use PowerShell: 
             Get-AzVirtualNetworkGatewayConnectionSharedKey -Name <ConnectionName> -ResourceGroupName <RG>
      If they differ, update one side so both keys are identical.
    4. Verify VPN peer IPs and Local Network Gateway definitions
      For each local network gateway:
      • The IP address must be the public IP of the remote VPN gateway.
      • The address spaces must exactly match the remote VNet address space(s).
      On each on‑premises definition (here, the opposite Azure gateway):
      • Ensure the remote gateway IP configured is the public IP of the other Azure VPN gateway.
        Any mismatch here will keep the tunnel in Unknown / Not connected state.
    5. Check for UDRs or NSGs on the gateway subnet
      On each hub VNet, inspect the gateway subnet:
      • Remove any user‑defined routes or NSGs from the gateway subnet and test again.
      • If the tunnel comes up, re‑add UDR/NSG rules carefully so they don’t block IPsec or health‑probe traffic.
    6. Validate that the on‑premises (remote) IP isn’t inside the local network definition
      Ensure the public IP of each VPN gateway is not included in the address prefixes of the opposite local network gateway. If it is, sporadic or failed connections can occur.
    7. Use the gateway health probe to confirm gateway health
      For each VPN gateway public IP, browse:
      • https://<GatewayPublicIP>:8081/healthprobe
        For active/active, also check :8083.
        If there is no response, the gateway may be unhealthy or blocked by an NSG on the gateway subnet.
    8. Check IPsec/IKE options such as Perfect Forward Secrecy
      If custom IPsec/IKE policies are used and Perfect Forward Secrecy (PFS) is enabled on one side but not the other, the tunnel can fail. Ensure both sides use matching IPsec/IKE parameters, or revert to the default policy on both connections.

    Once these parameters (peer IPs, address spaces, shared key, IPsec/IKE settings) are symmetric and any blocking NSGs/UDRs are removed from the gateway subnets, the S2S VPN between the two hub VNets should move from Unknown/Not connected to Connected.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.