![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 5%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,529 questions
Hello @test ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you are trying to setup a site-to-site VPN connection between Azure and your on-premises Palo Alto device, but it shows Not connected.
Since the protocol on the above screenshot shows IKEv2, I believe you are using a Route-based VPN gateway.
Could you please share the below details:
- What is your Palo Alto device or PAN-OS version?
- You also mentioned that you've an EgressNat rule attached as well, do you have address space overlap between Azure and your on-premises?
When the on-premises network address space overlaps with the virtual network address space, you need both Ingress and Egress rules on the same connection.
The error "No Phase2 qms left on active connection" comes up when on-premises VPN device sends the IKEV2_TS_UNACCEPTABLE message and the on-premises VPN device tears down the tunnel.
So, this could mostly be a misconfiguration somewhere.
I would request you to validate your configuration again following the below document:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm6WCAS
And if the above doesn't help, please share the above requested details for further discussion on this issue.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.