|
| 1 | +--- |
| 2 | +title: Troubleshoot Azure site-to-site issues using error codes |
| 3 | +titleSuffix: Azure VPN Gateway |
| 4 | +description: Common error codes and solutions for Azure VPN Gateway site-to-site connections. |
| 5 | +author: fabferri |
| 6 | +ms.service: azure-vpn-gateway |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.date: 09/20/2024 |
| 9 | +ms.author: fabferri |
| 10 | +--- |
| 11 | +# Troubleshooting: Azure site-to-site VPN error codes |
| 12 | + |
| 13 | +This article lists common site-to-site error codes that you might experience. It also discusses possible causes and solutions for these problems. If you know the error code, you can search for the solution on this page. |
| 14 | + |
| 15 | +## Negotiation timed out (Error code: 13805, Hex: 0X35ED) |
| 16 | + |
| 17 | +### Symptom |
| 18 | + |
| 19 | +Connectivity failure. |
| 20 | + |
| 21 | +### Cause |
| 22 | + |
| 23 | +Customer's on-premises VPN device isn't responding to the connection requests (IKE protocol messages) from the Azure VPN gateway. |
| 24 | + |
| 25 | +### Solution |
| 26 | + |
| 27 | +To resolve this problem, follow these steps: |
| 28 | + |
| 29 | +1. Check to make sure on-premises IP address is correctly configured on the Local Network Gateway resource in Azure |
| 30 | +1. Check to see if the on-premises VPN device is receiving the IKE messages from Azure VPN gateway. |
| 31 | + |
| 32 | + * If IKE packets aren't received on the on-premises gateway, check if there's an on-premises firewall dropping the IKE packets. |
| 33 | + * Check on-premises VPN device logs to find why the device isn't responding to the IKE messages from Azure VPN gateway. |
| 34 | + * Take mitigation steps to ensure that on-premises device responds to Azure VPN Gateway IKE requests. Engage device vendor for help, as needed. |
| 35 | + |
| 36 | +## IKE authentication credentials are unacceptable (Error code: 13801, Hex: 0X35E9) |
| 37 | + |
| 38 | +### Symptom |
| 39 | + |
| 40 | +Connectivity failure. |
| 41 | + |
| 42 | +### Cause |
| 43 | + |
| 44 | +Preshared key mismatch. |
| 45 | + |
| 46 | +### Solution |
| 47 | + |
| 48 | +Check to ensure that preshared key configured on the Azure connection resource matches the preshared key configured on the tunnel of the on-premises VPN device. |
| 49 | + |
| 50 | +## Policy match error (Error code: 13868, Hex: 0X362C) / No policy configured (Error code: 13825, Hex: 0X3601) |
| 51 | + |
| 52 | +### Symptom |
| 53 | + |
| 54 | +Connectivity failure. |
| 55 | + |
| 56 | +### Cause |
| 57 | + |
| 58 | +IKE /IPSec policy mismatch. |
| 59 | + |
| 60 | +### Solution |
| 61 | + |
| 62 | +For custom policy configuration on the connection resource in Azure, check to ensure that the IKE policy that's configured on the tunnel of the on-premises VPN device has the same configuration. |
| 63 | + |
| 64 | +For default policy configuration, check [configuration of IPsec/IKE connection policies](ipsec-ike-policy-howto.md) for site-to-site VPN & VNet-to-VNet to ensure the configuration on the tunnel of the on-premises VPN device has the matching configuration. |
| 65 | + |
| 66 | +## Traffic selectors unacceptable (Error code: 13999, Hex: 0X36AF) |
| 67 | + |
| 68 | +### Symptom |
| 69 | + |
| 70 | +Connectivity failure. |
| 71 | + |
| 72 | +### Cause |
| 73 | + |
| 74 | +Traffic selector configuration mismatch. |
| 75 | + |
| 76 | +### Solution |
| 77 | + |
| 78 | +Check the on-premises device log to find why traffic selector configuration proposed by the Azure VPN gateway isn't accepted by the on-premises device. Use one of the following methods to resolve the issue: |
| 79 | + |
| 80 | +* Fix the traffic selector configuration on the tunnel of the on-premises device. |
| 81 | +* Configure policy-based traffic selector on the connection resource in Azure to keep the same configuration as on-premises device traffic selector. For more information, see [Connect VPN gateways to multiple on-premises policy-based VPN devices](vpn-gateway-connect-multiple-policybased-rm-ps.md#create-the-virtual-network-vpn-gateway-and-local-network-gateway). |
| 82 | + |
| 83 | +## Invalid header (Error code: 13824, Hex: 0X3600)/ Invalid payload received (Error code: 13843, Hex: 0X3613)/ Invalid cookie received (13846, Hex: 0X3616) |
| 84 | + |
| 85 | +### Symptom |
| 86 | + |
| 87 | +Connectivity failure. |
| 88 | + |
| 89 | +### Cause |
| 90 | + |
| 91 | +The VPN gateway received unsupported IKE messages/protocols from the on-premises VPN device. |
| 92 | + |
| 93 | +### Solution |
| 94 | + |
| 95 | +1. Ensure on-premises device is among one of the supported devices. See [About VPN devices for connections](vpn-gateway-about-vpn-devices.md#devicetable). |
| 96 | + |
| 97 | +1. Contact your on-premises device vendor for help. |
| 98 | + |
| 99 | +## The recipient cannot handle version of IKE specified in the header (Error code: 13880, Hex: 0X3638) |
| 100 | + |
| 101 | +### Symptom |
| 102 | + |
| 103 | +Connectivity failure. |
| 104 | + |
| 105 | +### Cause |
| 106 | + |
| 107 | +IKE protocol version mismatch |
| 108 | + |
| 109 | +### Solution |
| 110 | + |
| 111 | +Ensure that IKE protocol version (IKE v1 or IKE v2) is same on the connection resource in Azure and on the tunnel configuration of the on-premises VPN device. |
| 112 | + |
| 113 | +## Failure in Diffie-Hellman computation (Error code: 13822, Hex: 0X35FE) |
| 114 | + |
| 115 | +### Symptom |
| 116 | + |
| 117 | +Connectivity failure. |
| 118 | + |
| 119 | +### Cause |
| 120 | + |
| 121 | +Failure in Diffie-Hellman computation. |
| 122 | + |
| 123 | +### Solution |
| 124 | + |
| 125 | +1. For custom policy configuration on the connection resource in Azure, check to ensure that the DH group configured on the tunnel of the on-premises VPN device has the same configuration. |
| 126 | +1. For default DH group configuration, check the [configuration of IPsec/IKE connection policies for S2S VPN & VNet-to-VNet](ipsec-ike-policy-howto.md) to ensure the configuration on the tunnel of the on-premises VPN device has the matching configuration. |
| 127 | +1. If this doesn't resolve the issue, engage your VPN device vendor for further investigation. |
| 128 | + |
| 129 | +## The remote computer refused the network connection (Error code: 1225, Hex: 0X4C9) |
| 130 | + |
| 131 | +### Symptom |
| 132 | + |
| 133 | +Connectivity failure. |
| 134 | + |
| 135 | +### Cause |
| 136 | + |
| 137 | +The Azure connection resource is configured as Initiator only mode and might not accept any connection requests from the on-premises device. |
| 138 | + |
| 139 | +### Solution |
| 140 | + |
| 141 | +Update the connection mode property on the connection resource in Azure to **Default** or **Responder only**. For more information, see [Connection mode](vpn-gateway-about-vpn-gateway-settings.md#connectionmode) settings. |
| 142 | + |
| 143 | +## Next steps |
| 144 | + |
| 145 | +For more information about VPN Gateway troubleshooting, see [Troubleshooting site-to-site connections](vpn-gateway-troubleshoot-site-to-site-cannot-connect.md). |
0 commit comments