Issue with Azure VPN device connecting to Azure VM (domain controller) RRS feed

  • 問題

  • Hi ,

    I have a successfully connected a device (Windows 10 - 19042.1052) with an Azure VM (Domain controller - Windows Server 2019) located in VNet through VPN Point to site. The VPN authentication is certificate-based and protocols are IKEv2 + SSTP.

    The following tests were performed but some failed, then I need your help to solve them:

    Tests from device:

    • Ifconfig (i can see the VPN IP address assigned to my device and DNS) ... it works

    • Nslookup (i can query the domain controller in Azure) ... it works

    • Ping from device to Azure VM IP address located in VNet ... it works!


    1) Ping from device to Azure VM using FQDN ... it does not work
    The error is: Ping request could not find host "fqdn". Please check the name and try again.

    It happens in most client devices (4 of 5 devices tested).

    2) When VPN P2S is conected, all tested devices can see the shares (netlogon and sysvol) in the Azure VM Domain Controller but credentials are requested to access. them I type right credentials but it does not work, asking them again and again. Then I can not make group policy works because device can not query the sysvol folder.

    I checked the following link about VPN P2S issues and solutions but none of them solved my issue

    2021年6月30日 下午 08:31


  • I have the same problem, did you find the solution?
    2021年7月1日 下午 01:30
  • Hi David,

    Unfortunately no yet

    2021年7月2日 下午 02:46
  • Probably due to firewall settings. Use the tracert command and check which router you are having trouble with.
    • 已提議為解答 Dripjamz 2021年7月18日 下午 05:49
    • 已取消提議為解答 Dripjamz 2021年7月18日 下午 05:49
    2021年7月4日 上午 08:34
  • Hello Gabriel

    How did you configure your DNS, are you using the Default Azure DNS ? 

    if the answer to the above question is yes, then you need to configure a custom DNS. First, Install the DNS role on your Domain controller if you haven't already and then use the IP of the DNS/Domain Controller as your custom DNS. 

    To configure a custom DNS via Azure portal. Navigate to your VNET, click on DNS servers select Custom and enter the DNS server IP. Then reboot your VM.  see if this fix your problem.

    if you are already using a custom DNS, then I will suggest that you change VPN authentication to Azure AD

    Please do not forget to "Accept the answer" and Upvote on the post that helped you, this can be beneficial to other community members.

    • 已編輯 Oogaga 2021年7月21日 下午 08:51
    • 已提議為解答 Scuba_Duba 2022年3月29日 上午 06:03
    • 已取消提議為解答 Scuba_Duba 2022年3月29日 上午 06:04
    2021年7月21日 下午 08:48
  • I can't find information on this online.
    2022年3月21日 上午 04:27
  • very nice and great post here. 
    2022年3月26日 上午 07:19
  • There are two possible issues, based on your description of the first problem.

    1. Your local device is not using the DNS servers within your Azure vnet(either custom or default). This would most likely be caused if the priority metric of your local ethernet/wifi adapter is lower than that of the vpn adapter. You can list the interfaces, and their interface metrics, using the `Get-NetIPInterface` powershell command. You can confirm this is what is causing the problem by doing an `nslookup` command and specifying the correct DNS server. `nslookup server.domain.tld {ipaddress of CORRECT DNS server}`, if this resolves correctly, your issue is with the adapter. 
    2. You haven't setup your domain controller with the DNS service, you haven't setup the custom DNS server in the vnets configuration or something is blocking port 53 between your on-premises device and Azure. I'm assuming the first of those isn't the case, but double check, I've missed silly things like this while working quickly. Next, check that the vnet that holds your gateway(which may or may NOT be the same vnet that your VM is in, if you have peering) is setup with custom DNS servers pointing at the IP of your Azure VM domain controller running DNS service. Lastly, check if connectivity over port 53 is working, perhaps using the `Test-NetConnection` PowerShell commands and specifying port 53. `Test-NetConnection {dns server IP} -p 53`.

    As for your second problem, it seems likely that the on-premises devices aren't domain joined, or that domain authentication is broken, along with DNS. You may need to specify the NetBIOS domain name ahead of the username. `DOMAIN\USERNAME`

    2022年3月26日 下午 09:46
  • this is a common problem with vpn, i guess

    2022年3月28日 上午 08:57
  • Check whether the on-premises VPN device is validated. 
    Verify the shared key.
    Verify the VPN peer IPs. 
    Check UDR and NSGs on the gateway subnet.
    Check the on-premises VPN device external interface address. 
    Verify that the subnets match exactly (Azure policy-based gateways)



    2022年7月27日 上午 09:25