Azure VPN Gateway Connection Traffic suddenly stops

Question

Azure VPN Gateway Connection Traffic suddenly stops

Ming Yu 20

We have an azure VPN gateway with a connection to an on-site premise device.

The configuration has been setup for years and it's been working consistently and reliably for long time.

Recently, we notice that the the services deployed in our AKS cluster seemed to have failed DB connection when attempting to access the DB over the VPN tunnel.

When that happened, we noticed that the traffic across the VPN tunnel literally stopped.

But if we reset the VPN gateway, once the VPN connection is reestablished, the DB connection access resumed.

According to the health resource of the VPN gateway, there was no health issue detected while the network traffic over the VPN stopped.

Can anyone help us troubleshoot to see what might have been happening when the VPN traffic suddenly stopped?

I tried to enable diagnostic logs for the VPN gateway following https://learn.microsoft.com/en-us/azure/vpn-gateway/troubleshoot-vpn-with-azure-diagnostics.

I can see that GatewayDiagnosticLog, TunnelDiagnosticLog, IKEDiagnosticLog, etc are enabled by running command "az monitor diagnostic-settings list --resource <vpn_gateway_resource_id>".

However, I can't find azure tables in the log analytics workspace that is used to enable diagnostic settings.

Thanks for the help.

Sindhuja Dasari 630 Reputation points Microsoft External Staff Moderator

2025-04-30T16:10:09.5833333+00:00
Hello Ming Yu

I understand how frustrating this can be, especially when a VPN tunnel that's been stable for years suddenly stops traffic.

Here are a few troubleshooting steps you might consider:

Since you've enabled diagnostic logs, try querying the TunnelDiagnosticLog table to see if there are any TunnelDisconnected events that coincide with the time of failure. This could indicate an issue with tunnel stability.

Look for any SetGatewayConfiguration or HostMaintenanceEvent entries in the GatewayDiagnosticLog table. These could indicate configuration changes or maintenance events that might be affecting connectivity.

If you can't find the expected tables in your Log Analytics workspace, ensure that the diagnostic settings are correctly configured to send logs to the workspace. You might need to manually query the workspace to confirm the presence of logs.

Some VPN configurations have idle timeout settings that could be terminating the tunnel if there’s no activity for a certain period.

If you're using BGP for routing, ensure that routes are being exchanged properly. A failure in route propagation could cause traffic to stop flowing.

If possible, check logs on your on-premises VPN device to see if there are any errors or disconnect events that align with the traffic stoppage.

Additionally, Refer Troubleshoot-site-to-site-disconnected-intermittently

VPN-gateway-troubleshoot

VPN-gateway-troubleshoot-site-to-site-cannot-connect

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Ming Yu 20

@Sindhuja Dasari Thanks for the follow up.

As I mentioned in the original post, the challenge is that I can't find any table (GatewayDiagnosticLog, TunnelDiagnosticLog, IKEDiagnosticLog, etc) in the log analytics workspace while the command "az monitor diagnostic-settings list --resource <vpn_gateway_resource_id>" shows it that those logs are enabled like:

"logs": [

  {

    "category": "GatewayDiagnosticLog",

    "enabled": true,

    "retentionPolicy": {

      "days": 0,

      "enabled": false

    }

  },

  {

    "category": "TunnelDiagnosticLog",

    "enabled": true,

    "retentionPolicy": {

      "days": 0,

      "enabled": false

    }

  },

  {

    "category": "RouteDiagnosticLog",

    "enabled": true,

    "retentionPolicy": {

      "days": 0,

      "enabled": false

    }

  },

  {

    "category": "IKEDiagnosticLog",

    "enabled": true,

    "retentionPolicy": {

      "days": 0,

      "enabled": false

    }

  },

 ...

Any thoughts on why those tables do not exist/created?

Praveen Bandaru 3,165 Reputation points Microsoft External Staff Moderator

2025-04-30T19:13:32.9666667+00:00

Hello Ming Yu

Thank you for your response. If possible, could you please share the IKE logs error message screen shot.

Additionally, if possible, could you share all error messages.
Sindhuja Dasari 630 Reputation points Microsoft External Staff Moderator

2025-05-02T11:04:39.8366667+00:00
Hello Ming Yu

I understand that you're unable to find table (GatewayDiagnosticLog, TunnelDiagnosticLog, IKEDiagnosticLog, etc) in the log analytics workspace, as I mentioned earlier ensure that the diagnostic settings are correctly configured to send logs to the intended Log Analytics workspace.

Try running queries directly on the AzureDiagnostics table instead of looking for individual tables like GatewayDiagnosticLog or TunnelDiagnosticLog. Some logs might be stored under AzureDiagnostics table based on the Destination Table you've configured as follows:

Resource Specific - stores logs in a dedicated table specific to resource, offering more structured and easy-to-manage approach.

Diagnostics Logging- stores logs in a centralized AzureDiagnostics table which is less structured and contains data from multiple resource types.

Refer the below screenshot for reference

Run this below query to confirm the presence in AzureDiagnostics

AzureDiagnostics | where ResourceType == "VIRTUALNETWORKGATEWAYS" | summarize count() by Category

Going Further, it is recommended to enable Logging with Destination table as Resource Specific mode

Refer

Create-Diagnostics-Settings

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Sindhuja Dasari 630 Reputation points Microsoft External Staff Moderator

2025-05-05T10:02:15.7833333+00:00

Hello Ming Yu
Following up to see if the above information was helpful. And, if you have any further query do let us know.
Ming Yu 20 Reputation points

2025-05-05T16:12:13.1533333+00:00

Greetings!
So, I can verify that IKEDiagnosticLog is available as a category in AzureDiagnostic table:

But I don't see other log categories (e.g., GatewayDiagnosticLog, TunnelDiagnosticLog, RouteDiagnosticLog, P2SDiagnosticLog, etc).

Also, specifically, when VPN traffic suddenly drops to zero, which log categories should I look into?

Thanks.
Ming Yu 20 Reputation points

2025-05-05T18:15:29.06+00:00

Thank you for the quick response. I think the reason there are no additional logs is because the VPN gateway as not encountered any issue since the diagnostic mode is enabled.

I think at this time, the request can be closed assuming I can still come back to reference it, right?
Sindhuja Dasari 630 Reputation points Microsoft External Staff Moderator

2025-05-05T19:26:09.8766667+00:00

Hello Ming Yu

Thank you for the response.

Yes, if there haven't been any issues, changes since diagnostics were enabled, its normal to only see IKEDiagnosticLog. The others will appear once relevant events are triggered.

And absolutely- you can come back to this conversation anytime for reference or to continue this discussion if there are any roadblocks.

I have converted my comment to an answer.

Please don’t forget to close the thread by clicking "Accept the answer" and "Yes" wherever the information provided helps you, as this can be beneficial to other community members.

Accepted answer

1 additional answer

Your answer

Sindhuja Dasari 630 Reputation points Microsoft External Staff Moderator

2025-04-30T16:10:09.5833333+00:00

Hello Ming Yu

I understand how frustrating this can be, especially when a VPN tunnel that's been stable for years suddenly stops traffic.

Here are a few troubleshooting steps you might consider:

Since you've enabled diagnostic logs, try querying the TunnelDiagnosticLog table to see if there are any TunnelDisconnected events that coincide with the time of failure. This could indicate an issue with tunnel stability.

Look for any SetGatewayConfiguration or HostMaintenanceEvent entries in the GatewayDiagnosticLog table. These could indicate configuration changes or maintenance events that might be affecting connectivity.

If you can't find the expected tables in your Log Analytics workspace, ensure that the diagnostic settings are correctly configured to send logs to the workspace. You might need to manually query the workspace to confirm the presence of logs.

Some VPN configurations have idle timeout settings that could be terminating the tunnel if there’s no activity for a certain period.

If you're using BGP for routing, ensure that routes are being exchanged properly. A failure in route propagation could cause traffic to stop flowing.

If possible, check logs on your on-premises VPN device to see if there are any errors or disconnect events that align with the traffic stoppage.

Additionally, Refer Troubleshoot-site-to-site-disconnected-intermittently

VPN-gateway-troubleshoot

VPN-gateway-troubleshoot-site-to-site-cannot-connect

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Ming Yu 20 Reputation points

2025-04-30T17:24:48.56+00:00

@Sindhuja Dasari Thanks for the follow up.

As I mentioned in the original post, the challenge is that I can't find any table (GatewayDiagnosticLog, TunnelDiagnosticLog, IKEDiagnosticLog, etc) in the log analytics workspace while the command "az monitor diagnostic-settings list --resource <vpn_gateway_resource_id>" shows it that those logs are enabled like:

"logs": [

{ "category": "GatewayDiagnosticLog", "enabled": true, "retentionPolicy": { "days": 0, "enabled": false } }, { "category": "TunnelDiagnosticLog", "enabled": true, "retentionPolicy": { "days": 0, "enabled": false } }, { "category": "RouteDiagnosticLog", "enabled": true, "retentionPolicy": { "days": 0, "enabled": false } }, { "category": "IKEDiagnosticLog", "enabled": true, "retentionPolicy": { "days": 0, "enabled": false } }, ...

Any thoughts on why those tables do not exist/created?
Praveen Bandaru 3,165 Reputation points Microsoft External Staff Moderator

2025-04-30T19:13:32.9666667+00:00

Hello Ming Yu

Thank you for your response. If possible, could you please share the IKE logs error message screen shot.

Additionally, if possible, could you share all error messages.
Sindhuja Dasari 630 Reputation points Microsoft External Staff Moderator

2025-05-02T11:04:39.8366667+00:00

Hello Ming Yu

I understand that you're unable to find table (GatewayDiagnosticLog, TunnelDiagnosticLog, IKEDiagnosticLog, etc) in the log analytics workspace, as I mentioned earlier ensure that the diagnostic settings are correctly configured to send logs to the intended Log Analytics workspace.

Try running queries directly on the AzureDiagnostics table instead of looking for individual tables like GatewayDiagnosticLog or TunnelDiagnosticLog. Some logs might be stored under AzureDiagnostics table based on the Destination Table you've configured as follows:

Resource Specific - stores logs in a dedicated table specific to resource, offering more structured and easy-to-manage approach.

Diagnostics Logging- stores logs in a centralized AzureDiagnostics table which is less structured and contains data from multiple resource types.

Refer the below screenshot for reference

Run this below query to confirm the presence in AzureDiagnostics

AzureDiagnostics | where ResourceType == "VIRTUALNETWORKGATEWAYS" | summarize count() by Category

Going Further, it is recommended to enable Logging with Destination table as Resource Specific mode

Refer

Create-Diagnostics-Settings

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Sindhuja Dasari 630 Reputation points Microsoft External Staff Moderator

2025-05-05T10:02:15.7833333+00:00

Hello Ming Yu
Following up to see if the above information was helpful. And, if you have any further query do let us know.
Ming Yu 20 Reputation points

2025-05-05T16:12:13.1533333+00:00

Greetings!
So, I can verify that IKEDiagnosticLog is available as a category in AzureDiagnostic table:

But I don't see other log categories (e.g., GatewayDiagnosticLog, TunnelDiagnosticLog, RouteDiagnosticLog, P2SDiagnosticLog, etc).

Also, specifically, when VPN traffic suddenly drops to zero, which log categories should I look into?

Thanks.
Ming Yu 20 Reputation points

2025-05-05T18:15:29.06+00:00

Thank you for the quick response. I think the reason there are no additional logs is because the VPN gateway as not encountered any issue since the diagnostic mode is enabled.

I think at this time, the request can be closed assuming I can still come back to reference it, right?
Sindhuja Dasari 630 Reputation points Microsoft External Staff Moderator

2025-05-05T19:26:09.8766667+00:00

Hello Ming Yu

Thank you for the response.

Yes, if there haven't been any issues, changes since diagnostics were enabled, its normal to only see IKEDiagnosticLog. The others will appear once relevant events are triggered.

And absolutely- you can come back to this conversation anytime for reference or to continue this discussion if there are any roadblocks.

I have converted my comment to an answer.

Please don’t forget to close the thread by clicking "Accept the answer" and "Yes" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 1

Hello Ming Yu

Thanks for your response. If you’re seeing only IKEDiagnosticLog in the AzureDiagnostics table and no other categories like TunnelDiagnosticLog or GatewayDiagnosticLog, it most likely means those logs haven’t been generated yet — either due to:

No tunnel events/errors to trigger them,
Or insufficient VPN activity/state changes.

When VPN Traffic Drops to Zero, key Log Categories to Focus On

If traffic drops suddenly, here’s what to look for, in order of relevance:

TunnelDiagnosticLog

Primary log for tunnel-level issues:

Tunnel up/down events
Disconnection or dead-peer detection
Negotiation failures beyond IKE phase

IKEDiagnosticLog

Covers Phase 1 negotiation (authentication, encryption handshake):

Useful for initial connection or rekeying issues.
If tunnel fails to establish at all, this is key.

GatewayDiagnosticLog

Covers high-level operational events:

Gateway resets
Configuration changes
Health probe failures (can hint at misconfigurations)
This log is less detailed but still useful for detecting infrastructure issues.

RouteDiagnosticLog

Only populated when:

BGP is enabled and dynamic routes are being exchanged
There are route flaps or issues with learned/published prefixes Use if your gateway is route-based with BGP (common with ExpressRoute + VPN coexistence).

P2SDiagnosticLog

Only relevant if you’re using Point-to-Site (P2S) VPN connections — not applicable for Site-to-Site setups.

Refer Troubleshoot-vpn-with-azure-diagnostics which provides detailed information about the logs.

What to query when Traffic Stops:

1.Query for tunnel status:

AzureDiagnostics | where Category == "TunnelDiagnosticLog" | where Message contains "Tunnel is down" | sort by TimeGenerated desc

Query for IKE issues (e.g., rekey failures, cert/auth issues):

AzureDiagnostics | where Category == "IKEDiagnosticLog" | where Message contains "failure" or Message contains "error" | sort by TimeGenerated desc

Check if gateway itself had issues:

AzureDiagnostics | where Category == "GatewayDiagnosticLog" | sort by TimeGenerated desc

If none of these logs show recent activity around the time of the traffic drop, it likely means:

• No events were triggered (e.g., the tunnel is still technically up, but routes are broken)

• The issue is on the on-prem side (e.g., firewall, routing, dead peer, etc.)

Please don’t forget to close the thread by clicking "Accept the answer" and "Yes" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 2

@Ming Yu

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

The individual log categories like TunnelDiagnosticLog or IKEDiagnosticLog are stored as entries (rows) within the Azure Diagnostics table, not as standalone tables.
Hence your KQL should query Azure Diagnostics table for categories TunnelDiagnosticLog or IKEDiagnosticLog
Run the below KQL on your log analytics workspace to see if any VPN related logs exist:

AzureDiagnostics
| where ResourceType == "VIRTUALNETWORKGATEWAYS"
| where Category in ("GatewayDiagnosticLog", "TunnelDiagnosticLog", "RouteDiagnosticLog", "IKEDiagnosticLog")
| sort by TimeGenerated desc

If you don't see any logs, make sure the diagnostic settings are configured correctly to send logs to the right Log Analytics workspace.

Run the below command on the az cli and note down the workspaceId from the output.

  az monitor diagnostic-settings show --resource <vpn_gateway_resource_id>

workspace id shown should match the correct workspace you're querying.
You can also validate this by going to Azure Monitor > Diagnostics settings > select the right VPN gateway as shown below.
Make sure your user/account has Log Analytics Reader or Contributor permission on the workspace.
Other factors to consider - If the VPN hasn't experienced any recent disconnections or IKE events, those categories may not emit logs yet. Try triggering traffic or simulate a disconnection to prompt logs. Also don't forget to wait for 30-60 minutes before logs start appearing in log analytics workspace.

If the below answer addressed your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Regards

Ujjawal Tyagi

UJTyagi-MSFT 1,010 Reputation points Microsoft Employee

2025-05-05T04:15:16.5266667+00:00

@Ming Yu Kinldy let me know if you have nay further queries related to my answer otherwise If the below answer addressed your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Ujjawal
Ming Yu 20 Reputation points

2025-05-05T12:22:50.3133333+00:00

Greetings! I was on PTO for the last two days of the previous week. Please allow me some time to test the suggested approach. Will update with result. Thanks.

Share via

Azure VPN Gateway Connection Traffic suddenly stops

1 additional answer

Your answer