Per suggestion from mcatanzaro I’m starting another after posting in another thread this response: The summary of the above is that I cannot connect to any servers at my company when I am logged into the VPN. I do believe that DNS queries are working since the correct IPs are returned. But if I try to ping any thing in my work domain it doesn’t work. Same for ssh to a work domain server. The problem I have is like mentioned before – I can connect through anyconnect using an SSL Cert from the ASA, I authenticate through the Domain contoller fine. I get a IP address from the pool 192.168.100.1, gateway always seems to be 192.168.100.2.
-->After you configure a site-to-site VPN connection between an on-premises network and an Azure virtual network, the VPN connection suddenly stops working and cannot be reconnected. This article provides troubleshooting steps to help you resolve this problem.
If your Azure issue is not addressed in this article, visit the Azure forums on MSDN and Stack Overflow. You can post your issue in these forums, or post to @AzureSupport on Twitter. You also can submit an Azure support request. To submit a support request, on the Azure support page, select Get support.
Troubleshooting steps
To resolve the problem, first try to reset the Azure VPN gateway and reset the tunnel from the on-premises VPN device. If the problem persists, follow these steps to identify the cause of the problem.
Prerequisite step
Check the type of the Azure VPN gateway.
Go to the Azure portal.
Check the Overview page of the VPN gateway for the type information.
Step 1. Check whether the on-premises VPN device is validated
Check whether you are using a validated VPN device and operating system version. If the device is not a validated VPN device, you might have to contact the device manufacturer to see if there is a compatibility issue.
Make sure that the VPN device is correctly configured. For more information, see Edit device configuration samples.
Step 2. Verify the shared key
Compare the shared key for the on-premises VPN device to the Azure Virtual Network VPN to make sure that the keys match.
To view the shared key for the Azure VPN connection, use one of the following methods:
Azure portal
Go to the VPN gateway site-to-site connection that you created.
In the Settings section, click Shared key.
Azure PowerShell
Note
This article has been updated to use the Azure Az PowerShell module. The Az PowerShell module isthe recommended PowerShell module for interacting with Azure. To get started with the AzPowerShell module, see Install Azure PowerShell. To learn howto migrate to the Az PowerShell module, seeMigrate Azure PowerShell from AzureRM to Az.
For the Azure Resource Manager deployment model:
For the classic deployment model:
Step 3. Verify the VPN peer IPs
- The IP definition in the Local Network Gateway object in Azure should match the on-premises device IP.
- The Azure gateway IP definition that is set on the on-premises device should match the Azure gateway IP.
Step 4. Check UDR and NSGs on the gateway subnet
Check for and remove user-defined routing (UDR) or Network Security Groups (NSGs) on the gateway subnet, and then test the result. If the problem is resolved, validate the settings that UDR or NSG applied.
Step 5. Check the on-premises VPN device external interface address
If the Internet-facing IP address of the VPN device is included in the Local network definition in Azure, you might experience sporadic disconnections.
Step 6. Verify that the subnets match exactly (Azure policy-based gateways)
- Verify that the virtual network address space(s) match exactly between the Azure virtual network and on-premises definitions.
- Verify that the subnets match exactly between the Local Network Gateway and on-premises definitions for the on-premises network.
Step 7. Verify the Azure gateway health probe
Open health probe by browsing to the following URL:
https://<YourVirtualNetworkGatewayIP>:8081/healthprobeClick through the certificate warning.
If you receive a response, the VPN gateway is considered healthy. If you don't receive a response, the gateway might not be healthy or an NSG on the gateway subnet is causing the problem. The following text is a sample response:
Step 8. Check whether the on-premises VPN device has the perfect forward secrecy feature enabled
The perfect forward secrecy feature can cause disconnection problems. If the VPN device has perfect forward secrecy enabled, disable the feature. Then update the VPN gateway IPsec policy.
Next steps
-->This article fixes an issue that you can't connect to the Internet after you log on to a server that's running Routing and Remote Access by using VPN.
Original product version: Windows Server 2012 R2
Original KB number: 317025
Symptoms
After you use a VPN connection to log on to a server that is running Routing and Remote Access, you may be unable to connect to the Internet.
Cause
This issue may occur if you configure the VPN connection to use the default gateway on the remote network. This setting overrides the default gateway settings that you specify in the Transmission Control Protocol/Internet Protocol (TCP/IP) settings.
Resolution
To resolve this issue, configure the client computers to use the default gateway setting on the local network for Internet traffic and a static route on the remote network for VPN-based traffic.
Note
Because there are several versions of Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
Step 1: Configure the server that's running Routing and Remote Access to use a static IP address pool
Windows 2000 Server
Select Start, point to Programs, point to Administrative Tools, and then select Routing and Remote Access.
Right-click the server that is running Routing and Remote Access, and then select Properties.
Select the IP tab, select Static address pool, and then select Add.
Type the start of the Internet Protocol (IP) address range in the Start IP address box, type the end of the IP address range in the End IP address box, and then select OK.
Note
Configure a pool of static IP addresses on a different network segment than the network segment on which the internal local area network (LAN) exists.
Select the Enable IP routing check box if it isn't already selected.
Select OK.
Enable TCP/IP forwarding.
Windows NT Server 4.0
Select Start, point to Settings, select Control Panel, and then double-click Network.
Select the Services tab, select Remote Access Service in the Network Services list, and then select Properties.
Select Network, select the TCP/IP check box if it isn't already selected. And then select Configure next to TCP/IP.
Select Use static address pool.
Type the start of the IP address range in the Begin box, type the end of the IP address range in the End box.
Note
Configure a pool of static IP addresses on a different network segment than the network segment on which the internal LAN exists.
To exclude a range of IP addresses from the static address pool, type the starting IP address of the range that you want to exclude in the From box, type the ending IP address of the range that you want to exclude in the To box, and then select Add.
Select OK, select OK, and then select Continue.
Select the Protocols tab, select TCP/IP Protocol > Properties. Select the Routing tab, and then select the Enable IP Forwarding check box if it isn't already selected.
Select OK, and then select Close.
Select Yes to restart the computer.
Step 2: Configure the VPN client TCP/IP properties
To disable the Use Default Gateway on Remote Network setting in the VPN dial-up connection item on the client computer:
- Double-click My Computer, and then select the Network and Dial-up Connections link.
- Right-click the VPN connection that you want to change, and then select Properties.
- Select the Networking tab, select Internet Protocol (TCP/IP) in the Components checked are used by this connection list, and then select Properties.
- Select Advanced, and then clear the Use default gateway on remote network check box.
- Select OK, select OK, and then select OK.
Cannot Connect To This Gateway Anyconnect Router
Step 3: Connect to the server that's running Routing and Remote Access
On the client computer, connect to the Internet, and then establish a VPN connection to the server that is running Routing and Remote Access.
Note
You cannot connect to resources on the remote network because you have disabled the Use Default Gateway on Remote Network setting in the VPN TCP/IP configuration.
Step 4: Add a static route on the client
Add a static route on the client computer that uses the following configuration:
- The remote network is the destination.
- The correct subnet mask is used for the remote network.
- The first IP address from the static IP address pool that you configured in the Step 1: Configure the server that's running Routing and Remote Access to use a static IP address pool section of this article is the gateway.
Note
The Routing and Remote Access server assigns this first IP address to its wide area network (WAN) Miniport driver.
For example, to add a static route to a network that has the IP address of 192.168.10.0, the subnet mask of 255.255.255.0, and the gateway (the first IP address of the range assigned to the static IP address pool) of 192.168.1.1, run the following command:
Note
If you use the -p switch with Windows 2000 or Windows NT 4.0, the route is made persistent. Use this switch to ensure that the routing entry is preserved when the computer is restarted.
Note
The -p switch isn't supported on either Microsoft Windows Millennium Edition-based, Microsoft Windows 98-based, or Microsoft Windows 95-based computers.
Workaround
Cannot Connect To This Gateway Anyconnect Device
To work around this issue, create a batch file that contains the necessary route add command. And then configure it to run each time that a client connects to the VPN Server.