Share via

IPSEC Tunnels to Azure vWAN sometimes stop passing traffic

Andy P 0 Reputation points
2025-11-19T17:31:24.7633333+00:00

I have a IPSEC VPN between a Fortinet firewall and Azure vWAN which functions properly 99.9% of the time. Occasionally, the tunnel will randomly stop passing traffic, despite the tunnel still being up. "Bouncing" the tunnel resolves the issue. Other tunnels on the Fortinet continue to function properly.

Are there any logs to view on the Azure side for troubleshooting purposes? Is there an Azure portal that indicates recent "issues" by zone, e.g. US West 1?

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-19T17:31:44.2333333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To troubleshoot IPsec VPN issues with Azure Virtual WAN, you can utilize various diagnostic logs available in Azure. Specifically, the TunnelDiagnosticLog can help you inspect the historical connectivity statuses of the tunnel. This log provides insights into events such as tunnel connections and disconnections, which can be useful in identifying patterns or issues that may cause the tunnel to stop passing traffic.

    You can query the TunnelDiagnosticLog to see events related to your VPN connection. Here’s a sample query you might use:

    AzureDiagnostics
| where Category == "TunnelDiagnosticLog"
| project TimeGenerated, OperationName, remoteIP_s, instance_s, Resource, ResourceGroup
| sort by TimeGenerated asc

    This will allow you to see the timestamps of events, operation names (like TunnelConnected or TunnelDisconnected), and other relevant information.

    Additionally, for real-time monitoring of Azure services, you can check the Azure Status page, which indicates any ongoing issues by region, including US West 1. This can help you determine if there are any broader issues affecting your VPN connection.

    References:

    0 comments
  2. Venkatesan S 1,010 Reputation points Microsoft External Staff Moderator
    2025-11-19T19:56:53.3166667+00:00

    Hi Andy P,

    Thanks for reaching out, Microsoft Q&A.

    According to this MS-Document,

    Azure Virtual WAN does provide logs, but they must be explicitly enabled. These logs help you troubleshoot tunnel outages, renegotiations, SA resets, dropped packets, etc.

    Key Log Categories:

    • TunnelDiagnosticLog: Tracks tunnel state changes (e.g., disconnects or unresponsiveness). Query for events like "TunnelDisconnected" to identify timestamps of issues.
    • IKEDiagnosticLog: Verbose IKE/IPsec debug info for negotiation failures. Useful for parsing SA_INIT messages during retries.
    • RouteDiagnosticLog: BGP events (e.g., "BgpDisconnectedEvent") that could cause routing blackholes.

    You can enable the logs through Azure portal.

    • Portal → Virtual WAN → Hubs → (Your Hub) → VPN gateways → Diagnostic settings

    You can stream logs to:

    • Log Analytics Workspace
    • Storage Account
    • Event Hub

    Is there an Azure portal that indicates recent "issues" by zone, e.g. US West 1?

    Yes, Azure has a service health dashboard that shows issues per region (not per zone).

    • Azure Portal → Monitor → Service Health

    Reference:

    Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.