Troubleshooting: Azure site-to-site VPN error codes

This article lists common site-to-site error codes that you might experience. It also discusses possible causes and solutions for these problems. If you know the error code, you can search for the solution on this page.

Connectivity failure.

Customer's on-premises VPN device isn't responding to the connection requests (IKE protocol messages) from the Azure VPN gateway.

To resolve this problem, follow these steps:

1. Check to make sure on-premises IP address is correctly configured on the Local Network Gateway resource in Azure

2. Check to see if the on-premises VPN device is receiving the IKE messages from Azure VPN gateway.

   • If IKE packets aren't received on the on-premises gateway, check if there's an on-premises firewall dropping the IKE packets.
   • Check on-premises VPN device logs to find why the device isn't responding to the IKE messages from Azure VPN gateway.
   • Take mitigation steps to ensure that on-premises device responds to Azure VPN Gateway IKE requests. Engage device vendor for help, as needed.

Connectivity failure.

Preshared key mismatch.

Check to ensure that preshared key configured on the Azure connection resource matches the preshared key configured on the tunnel of the on-premises VPN device.

Connectivity failure.

IKE /IPsec policy mismatch.

For custom policy configuration on the connection resource in Azure, check to ensure that the IKE policy that's configured on the tunnel of the on-premises VPN device has the same configuration.

For default policy configuration, check configuration of IPsec/IKE connection policies for site-to-site VPN & VNet-to-VNet to ensure the configuration on the tunnel of the on-premises VPN device has the matching configuration.

Connectivity failure.

Traffic selector configuration mismatch.

Check the on-premises device log to find why traffic selector configuration proposed by the Azure VPN gateway isn't accepted by the on-premises device. Use one of the following methods to resolve the issue:

• Fix the traffic selector configuration on the tunnel of the on-premises device.
• Configure policy-based traffic selector on the connection resource in Azure to keep the same configuration as on-premises device traffic selector. For more information, see Connect VPN gateways to multiple on-premises policy-based VPN devices.

Connectivity failure.

The VPN gateway received unsupported IKE messages/protocols from the on-premises VPN device.

1. Ensure on-premises device is among one of the supported devices. See About VPN devices for connections.

2. Contact your on-premises device vendor for help.

Connectivity failure.

IKE protocol version mismatch

Ensure that IKE protocol version (IKE v1 or IKE v2) is same on the connection resource in Azure and on the tunnel configuration of the on-premises VPN device.

Connectivity failure.

Failure in Diffie-Hellman computation.

1. For custom policy configuration on the connection resource in Azure, check to ensure that the DH group configured on the tunnel of the on-premises VPN device has the same configuration.
2. For default DH group configuration, check the configuration of IPsec/IKE connection policies for S2S VPN & VNet-to-VNet to ensure the configuration on the tunnel of the on-premises VPN device has the matching configuration.
3. If this doesn't resolve the issue, engage your VPN device vendor for further investigation.

Connectivity failure.

The Azure connection resource is configured as Initiator only mode and might not accept any connection requests from the on-premises device.

Update the connection mode property on the connection resource in Azure to Default or Responder only. For more information, see Connection mode settings.

For more information about VPN Gateway troubleshooting, see Troubleshooting site-to-site connections.