Trouble connecting to an Azure VPN Gateway from my Azure Dev Box
I'm seeing the error when trying to connect: "server did not respond properly to vpn control packets. session state: reset sent"
- I'm using Azure VPN Client.
- My VPN Gateway is set up for Point to Site (P2S) with both a certificate and Azure AAD.
- Both configurations work from my home machine connected via Xfinity
- Neither configuration works from my AZ Dev Box. Both connections result in the same error message above.
- My AZ Dev box is sync'd to the correct time
- My AZ Dev Box is able to VPN to corpnet
- When I ping the VPN gateway from home, it DNS resolves and the ping succeeds
- When I ping the VPN gateway from my AZ Dev Box, it DNS resolves but the ping does not succeed
Thoughts?
Thanks,
Larry
Azure VPN Gateway
-
Luis Arias 6,796 Reputation points
2024-02-16T10:03:13.48+00:00 Hi Lawrence Beck, This troubleshooting might require check logs of your azure vpn client , You can go trought below check list to verify is this can solve your problem?
- Time Synchronization: You mentioned that your Azure Dev Box is synchronized to the correct time. This is important as incorrect time settings can cause this error. (https://zcusa.951200.xyz/en-us/answers/questions/931254/connecting-to-azure-vpn-error-message-server-did-n)
- User Credentials: Try using the same user credentials on a different machine, or try a different set of credentials on the Azure Dev Box. (https://zcusa.951200.xyz/en-us/answers/questions/931254/connecting-to-azure-vpn-error-message-server-did-n)
- Firewall Settings: Check your firewall settings to ensure that the VPN server is reachable from your location and that the required port is open. (https://zcusa.951200.xyz/en-us/answers/questions/1185274/dialing-vpn-connection-xxxx-xxxx-status-server-did)
- Network Adapters: You could try uninstalling and then reinstalling all of the WAN Miniport devices in your network adapters. (https://stackoverflow.com/questions/64109075/azure-vpn-p2s-azure-ad-authentication-connection-problem-the-operation-was-canc)
- Root Certificate: Check the status of the root certificate in the Azure portal to see whether it was revoked. If it is not revoked, try to delete the root certificate and reupload. (https://zcusa.951200.xyz/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems)
- User-Defined Routes (UDR): If you have any UDRs on the Gateway Subnet, ensure they are forwarding all traffic properly.
Let me know if any of this options help you. Luis
-
KapilAnanth-MSFT 46,016 Reputation points • Microsoft Employee
2024-02-16T10:19:16.0233333+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are facing the error message, "server did not respond properly to vpn control packets. session state: reset sent".
This generally happens when there is a misconfiguration in the XML File used in the VPN Client, especially when the Shared Secret added in the client does not match the Server Shared Secret.
As next steps,
- Reset the VPN Gateway and then redownload the configuration file.
- Import the newly downloaded config file into the Azure VPN Client
- Are you using Certificate or Azure Entra (AAD) in your Devbox?
- Can you please configure it for certificate first and check if that works properly or not?
- Make sure the configurations are as below
- Make sure the configurations are as below
Cheers,
Kapil
-
Lawrence Beck 0 Reputation points • Microsoft Employee
2024-02-16T19:51:31.6+00:00 So far:
Time Synchronization: looks good
- User Credentials: both AAD & certificate auth work from my physical home machine and a teammates physical corpnet machine.
- Firewall Settings: VPN gateway has no restrictions that would prevent access from the dev box and the port is open (otherwise we couldn't reach it from other machines.)
- Network Adapters: I can't mess with the network adapters on my AZ dev box or I'll lose connectivity and not be able to restore it. I've done this before.
- Root Certificate: Root cert is not revoked, works fine for other scenarios using the same cert, plus this doesn't explain the AAD connection failure.
- User-Defined Routes (UDR): none
This seems to be a network config issue with our dev boxes since we can't get a ping response from the VPN gateway on the dev boxes but we can get a response from external machines. I've engaged our AZ dev box support team to help investigate. I'll report back and close this if we find a resolution.
-
KapilAnanth-MSFT 46,016 Reputation points • Microsoft Employee
2024-02-19T11:26:38.6166667+00:00 Thanks for keeping us updated.
- As you mentioned, you can take a look at the Networking configuration.
- From your DevBox , see if you are getting a reply for accessing the server : https://<YourVirtualNetworkGatewayIP>:8081/healthprobe
- I see you are using AAD Auth, so this means you will be using OpenVPN Protocol.
- So, you can try TCP Pinging the Gateway IP at Port 443
- Open Powershell as Admin and run
tnc <YourVirtualNetworkGatewayIP> -p 443
Let us know how it goes.
-
Daniel Lopez Garcia 0 Reputation points • Microsoft Employee
2024-03-26T19:40:08.24+00:00 If you are using the standard devbox provided, you need to add the VPN endpoint to the firewall. From the main devbox site, click on help/docs and then FAQ / network connectivity, it explains the process in detail.
-
Hao Gao 0 Reputation points • Microsoft Employee
2024-07-14T02:21:29.5133333+00:00 Hey @KapilAnanth-MSFT , I had exactly the same issue as @Lawrence Beck has. Due to recently Security Wave requests. I need to hide all my azure resources behind a VNet which impact my local debugging. To solve this, I created a VNet Gateway to allow my local dev box to connect to my Azure VNet. I am following this https://zcusa.951200.xyz/en-us/azure/vpn-gateway/point-to-site-entra-gateway post and everything works find in my office's machine. But I am having trouble to connect to the VNet gateway p2s VPN (with Azure VPN Client) on all my Azure Devbox.
I've checked the following - the time synchronization I see many posts mentioning this.- the firewall allowsAzure VPN Client
- I can get reply from https://<MyVirtualNetworkGatewayIP>:8081/healthprobe. as shown below:
- run
tnc <MyVirtualNetworkGatewayIP> -p 443
look good.
- I can ping the vpn address to get the it's public ip
- I run the azure vpn client diagnostics and all looks good.
Unfortunately. The Azure VPN client keeps failing:
I really appreciate if anyone could help me to fix this issue. I was stuck on this issue for weeks.
- I can get reply from https://<MyVirtualNetworkGatewayIP>:8081/healthprobe. as shown below:
-
KapilAnanth-MSFT 46,016 Reputation points • Microsoft Employee
2024-07-15T06:51:17.2266667+00:00 Hi Hao Gao ,
- Delete and reinstall the Azure VPN Client. You can also try re-generating the VPN client profile configuration file and import it again.
- Perform a packet capture on the VPN Gateway and on the client machine and see if you are able to view any in-complete packets or issues.
Cheers,
Kapil
-
Hao Gao 0 Reputation points • Microsoft Employee
2024-07-15T19:53:28.4366667+00:00 Hey @KapilAnanth-MSFT thanks for your comments. I think I've figured it out. It's a limit on Azure Dev box for security reason. For Azure VPN (or any custom VPN) specific ask, we need to add VPN endpoints to our firewall policies which is managed by Dev Center or Pool/Project Admin as the admin needs to submit an ICM ticket through aka.ms/1esbot for this request.
-
Hao Gao 0 Reputation points • Microsoft Employee
2024-07-15T19:57:04.3766667+00:00 Hey @Lawrence Beck not sure if you have any update on this post. I am sure it's an known issue for Azure DevBox as mentioned in MSFT internal stack overflow post: dev box - Azure VPN Client not working( Openvpn protocol seems like blocked on the dev box environment) - Stack Overflow at Microsoft.
For those who are stuck on this issue, to save your time, one needs to add VPN endpoints to Azure DevBox firewall policies which is managed by Dev Center or Pool/Project Admin as the admin needs to submit an ICM ticket through aka.ms/1esbot for adding new VPN endpoint.
Sign in to comment