![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 45%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Azure Site Recovery
An Azure native disaster recovery service. Previously known as Microsoft Azure Hyper-V Recovery Manager.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 6%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 83%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 97%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Sijin N P,
You are unable to connect to the Test Failover VM using Bastion or RDP/SSH after performing a Test Failover in Azure Site Recovery (ASR). The error indicates NSG rules are blocking ports 22 or 3389, but you have already verified NSG settings. Later, you identified the source VM is Generation 2 (UEFI), while the Test Failover VM appears as Generation 1, causing boot and connectivity issues which might be due to below reasons:
- NSG/Bastion configuration – Bastion requires specific NSG rules to allow inbound traffic on TCP 3389 (RDP) or TCP 22 (SSH) from the Bastion subnet.
- Guest OS preparation – The VM must have RDP/SSH enabled and firewall rules configured before failover.
- Boot type mismatch – ASR supports UEFI/Gen2 for certain OS versions. If the target VM size or Compute & Network settings are incompatible, the VM may boot incorrectly and fail hydration.
As a resolution please try below workarounds:
Step 1: Validate NSG Rules for Bastion
- On the Test Failover VM NIC:
- Add Allow inbound rule for:
- TCP 3389 (Windows) or TCP 22 (Linux)
- Source:
AzureBastionSubnetCIDR orVirtualNetwork - Priority: Higher than any deny rule
- Add Allow inbound rule for:
- If there is a DenyAllOutbound rule, add an Allow outbound to
VirtualNetworkfor ports 3389/22.
Reference: https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg
Step 2: Prepare Guest OS Before Failover:
- Windows:
- Enable RDP and allow TCP+UDP 3389 in all firewall profiles.
- Remove persistent routes and WinHTTP proxy.
- Set SAN policy to OnlineAll.
- Linux:
- Ensure SSH service starts on boot and firewall allows port 22.
Reference: https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-failover
Step 3: Address Generation 2 / UEFI Mismatch:
- Confirm OS is supported for UEFI/Gen2 failover:
- In Replicated Items → Properties → Compute and Network:
- Select a VM size compatible with Gen2/UEFI.
- If the Test Failover VM boots incorrectly:
- Delete the Test Failover VM.
- Disable replication, correct settings, and re-enable replication.
Step 4: If RDP Still Fails:
- Use VMAccess extension to reset RDP configuration:
- Portal → VM → Reset password → Reset configuration only.
If you have any other questions or need further support, please feel free to contact us.
Thanks,
Suchitra.