Guides
All guides
VPN & Firewall
FortiGate IPsec VPNPalo Alto VPNCisco ASA VPNJuniper SRX VPNSonicWall VPN
Switching & Routing
Catalyst high CPUNexus vPCOSPF ExStartBGP Active/Idle
Load Balancing
F5 pool member down
Servers & Virtualization
Linux high loadWindows high memoryESXi disconnectedProxmox node offline
Containers
K8s CrashLoopDocker exit 137
Databases
MySQL replication lagPostgreSQL connsOracle ORA-12541
Cloud
AWS no internetAzure VPN gateway
Backup
Veeam job failed
Web & App
Nginx 502
Compare
Marvis alternativeChatGPT vs TM
Home / Troubleshoot / Azure VPN Gateway
Azure · VPN Gateway

Azure VPN Gateway Not Connecting: How to Troubleshoot It

By the Tech Matrix engineering team · Updated June 2026

When an Azure site-to-site connection shows "Not connected," the mismatch is almost always the shared key, the IKE/IPsec policy, or the address spaces. Here's the order to check.

Step 1 — Read the connection status

In the portal, open the Connection resource and check its status and the last error. Azure's VPN troubleshoot (Connection Troubleshoot) runs a diagnostic and points at the failing stage.

Step 2 — The common mismatches

  • Shared key: must match exactly between the Azure connection and the on-prem device.
  • Local Network Gateway: its Gateway IP must be your on-prem device's real public IP, and its address space must list your on-prem subnets.
  • Address spaces: the Azure VNet address space and the on-prem address space must be defined on both ends and must not overlap.

Step 3 — IKE/IPsec policy

If you set a custom IPsec/IKE policy on the connection, every parameter (IKE version, encryption, integrity, DH/PFS group, SA lifetimes) must match the on-prem device exactly. A single mismatch keeps it down. If you're not using a custom policy, make sure the on-prem device supports one of Azure's default proposals.

Step 4 — On-prem side

Confirm the on-prem firewall permits UDP 500/4500 to/from the Azure gateway's public IP, that the device isn't NATing the VPN traffic, and (for route-based) that the traffic selectors are 0.0.0.0/0 or match the policy. Re-check the connection status after each change.

How Tech Matrix solves this in ~60 seconds

Azure spreads the settings across the Connection, the Local Network Gateway and the policy, so the mismatch is easy to miss. Tech Matrix correlates the Azure config with your on-prem device, names the exact mismatched parameter, and gives the fix on both ends — with your approval.

Create free account →See how it works

Frequently asked questions

Why does my Azure VPN show Not Connected?

Usually a shared-key mismatch, a wrong Local Network Gateway IP/address space, or a custom IKE/IPsec policy that doesn't match the on-prem device.

How do I troubleshoot an Azure VPN gateway?

Use the connection's VPN troubleshoot (Connection Troubleshoot) in the portal, then verify shared key, Local Network Gateway IP and address spaces, and the IKE/IPsec policy match.

What ports does Azure VPN gateway need?

The on-prem device must allow UDP 500 and UDP 4500 to and from the Azure VPN gateway's public IP, with no NAT on the VPN traffic.