VPN Gateway Health Probe unavailable

Question

VPN Gateway Health Probe unavailable

Tom Yates 21

I'm setting up a Site to Site VPN between us and a customer. Both are in Azure.
Before doing this in Prod environment, I'm setting it up in Test back to my PAYG subscription to check process etc.

The VPN stays "Not Connected". Following the troubleshooting steps, it says at step 7 to check the health probe of the VPN gateway at https://<YourVirtualNetworkGatewayIP>:8081/healthprobe

This is where I'm stuck. It times out connecting. The VPN troubleshooter also provides similar suggestions as to unable to connect to other peer. This happens on both gateways (e.g. test and also my PAYG).

I have another site to site VPN set up at another customer, and I know what I should receive when calling that URL, and that customer works fine with a reply on the health probe.

Running the following, also fails with TimeOut.
test-netconnection -computername [my-virtual-network-gateway-up] -port 8081

I have teared it down, and recreated it with a different Public IP, and same response.
Also tested from seperate networks to rule out any firewalls etc. (e.g. tested from home and from office)

Suggestions welcome?

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-04-18T10:07:26.643+00:00
Hello @Tom Yates ,

Apologies for the delay in response.

Could you please provide the below details for further investigation on this issue:

Is there an NSG or UDR associated to the VPN GatewaySubnet?

What is the SKU & region of the VPN gateway?

Regards,
Gita
Tom Yates 21 Reputation points

2022-04-19T07:38:55.683+00:00
Hi,

No, there is not an NSG or UDR associated to the GatewaySubnet

SKU is Basic on both sides, - region is UKSouth on both side.

Thanks,
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-04-19T13:19:19.393+00:00

Hello @Tom Yates ,

Thank you for the details.

The VPN gateway health probe failure usually happens due to NSGs applied on GatewaySubnet. Since that is not the case here, let us check the other configurations one by one to find the root cause of "Not connected" VPN status.

1) You mentioned that you are setting up a Site to Site VPN between you and a customer (Both are in Azure). So I believe the site to site (IPsec) VPN connection is configured between 2 Vnets, is that correct?
2) If yes, did you create local network gateways on both sides representing the other VNet as a local site?
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#site-to-site-ipsec
3) Are you using Route based VPN type or Policy based VPN type on your Basic SKU VPN gateways? Are they same on either side?
4) Is the Pre-shared key configured correctly on both side connections?
5) Are there any other Vnet peered/connected to these 2 Vnets with overlapping address spaces?

Regards,
Gita

1 answer

Your answer

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-04-18T10:07:26.643+00:00

Hello @Tom Yates ,

Apologies for the delay in response.

Could you please provide the below details for further investigation on this issue:

Is there an NSG or UDR associated to the VPN GatewaySubnet?

What is the SKU & region of the VPN gateway?

Regards,
Gita
Tom Yates 21 Reputation points

2022-04-19T07:38:55.683+00:00

Hi,

No, there is not an NSG or UDR associated to the GatewaySubnet

SKU is Basic on both sides, - region is UKSouth on both side.

Thanks,
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-04-19T13:19:19.393+00:00

Hello @Tom Yates ,

Thank you for the details.

The VPN gateway health probe failure usually happens due to NSGs applied on GatewaySubnet. Since that is not the case here, let us check the other configurations one by one to find the root cause of "Not connected" VPN status.

1) You mentioned that you are setting up a Site to Site VPN between you and a customer (Both are in Azure). So I believe the site to site (IPsec) VPN connection is configured between 2 Vnets, is that correct?
2) If yes, did you create local network gateways on both sides representing the other VNet as a local site?
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#site-to-site-ipsec
3) Are you using Route based VPN type or Policy based VPN type on your Basic SKU VPN gateways? Are they same on either side?
4) Is the Pre-shared key configured correctly on both side connections?
5) Are there any other Vnet peered/connected to these 2 Vnets with overlapping address spaces?

Regards,
Gita

Answer 1

Hi Gita,

Yes, correct - VNet to Vnet in Azure.
Yes, created the LNG's
Route Based. Yes, same on both sides
Yes, Pre-Shared Key correct
No peering and no overlapping address space.

Things progressed after the weekend, in that it just worked which is most odd, so assume it was something odd in the Azure world.
However, I would still like to know at what point is the Health Probe is available on https://<YourVirtualNetworkGatewayIP>:8081/healthprobe ? Is it only available when the VPN is connected?
I cannot find any documentation on this aspect of the VPN gateway, and all web search point me to ALG Health Probes. This would be most helpful.

I will mark this question answered, although sorry to future readers - there is not a root cause as to why it happened and how it was resolved.
In addition, this was purely a PoC before configuring it live for us and the customer. I am pleased to say this worked without any issue (and the health probe was available)

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-04-25T11:38:14.04+00:00

Thank you for the update, @Tom Yates . Glad to hear that the issue is now resolved.
VPN Health Probe is available on https://<YourVirtualNetworkGatewayIP>:8081/healthprobe only when the created VPN gateway is healthy and is able to reach the management controllers to function properly.

Share via

VPN Gateway Health Probe unavailable

1 answer

Your answer