How To
Summary
Based on common Azure Virtual Machine (VM) connectivity issues, the problem where the VM is running but the customer can't ping the server or connect via RDP often stems from Network Security Group (NSG) rules blocking traffic, Windows Firewall settings on the VM, or configuration mismatches like IP addresses.
Ping failures are especially common because inbound ICMP traffic is blocked by default in Azure NSGs and often in the VM's firewall. RDP issues typically involve port 3389 not being allowed inbound.
Objective
See the step-by-step troubleshooting guides below that will assist in a resolve.
Environment
Steps
Step 1: Verify Basic VM Status and Connectivity Details
- In the Azure portal, go to your VM's Overview page and confirm it's in a "Running" state. Note the public IP address (if assigned) and ensure you're using the correct one for RDP or ping attempts.
- Check if the VM has a public IP associated. If it's behind a load balancer or in a private VNet, you may need VPN access instead of direct internet connectivity.
- Test from different networks or devices to rule out local issues (e.g., your ISP blocking ports or local firewall).
If the IP has changed (common after restarts), update your RDP file accordingly.
Step 2: Check and Configure Network Security Group (NSG) for RDP and Ping
NSGs act as a firewall at the network level and often block RDP (TCP port 3389) or ICMP (for ping) by default.
- Sign in to the Azure portal > Select your VM > Go to Settings > Networking.
- Under Inbound port rules, look for a rule allowing:
- Port: 3389
- Protocol: TCP
- Source: Any (or your specific IP for security)
- Action: Allow
- Priority: A low number (e.g., 300) to ensure it's not overridden.
- If missing, add a new inbound rule with the above settings. For production, restrict the source to your IP and avoid exposing 3389 directly—use Bastion, VPN, or Just-In-Time access instead.
- For ping (ICMP): Add another inbound rule with:
- Protocol: ICMP
- Source: Any (or your IP)
- Action: Allow
- Priority: Low number.
ICMP is blocked by default in Azure, so this rule is required for inbound pings to succeed.
Retest RDP and ping after saving changes (may take a minute to apply).
Step 3: Check the VM's Internal Firewall
Even with NSG rules allowing traffic, the Windows Firewall on the VM might block it.
- Connect to the VM using Azure Serial Console (in the portal: VM > Support + troubleshooting > Serial console) or another method if possible.
- In an elevated Command Prompt or PowerShell on the VM:
- For RDP: Ensure the Remote Desktop service is running with `Get-Service TermService` and start it if needed with `Start-Service TermService`.
- For ping: Enable ICMP by running `netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow`. Or temporarily disable the firewall with `netsh advfirewall set allprofiles state off` (re-enable after testing).
- Alternatively, use Azure Run Command (VM > Operations > Run command) to execute these without direct access.
If firewall rules are the issue, inbound ICMP or port 3389 may need explicit allowances like "File and Printer Sharing (Echo Request - ICMPv4-In)".
Step 4: Test Connectivity Without Relying on Ping
Since ICMP is unreliable in Azure (deprioritized or blocked), use TCP-based tools for better diagnostics.
- Download TCping (from Microsoft) on your local machine and run: `tcping64.exe -t <VM Public IP> 3389` to test RDP port reachability.
- In the Azure portal, use Network Watcher (search for it > Connectivity check):
- Select source (your local IP or another VM) and destination (your VM's IP/port 3389).
- It will diagnose NSG blocks, routes, or firewall issues hop-by-hop.
- If TCping succeeds but RDP fails, the issue might be authentication—proceed to Step 5.
Use these over ping for accurate results.
Step 5: Troubleshoot RDP-Specific Errors (e.g., Authentication Failures)
If the port is open but connection fails (e.g., "authentication error"):
- Temporarily disable Network Level Authentication (NLA) via Azure Run Command or Serial Console:
- Run: `reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f`
- Restart the VM, then attempt RDP.
- Re-enable after: `reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f` and restart.
- Check encryption settings: In Run Command, query `reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel`. If it's 3 or 4, set to 2 with `reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t REG_DWORD /d 2 /f`.
- Reset RDP configuration via portal: VM > Support + troubleshooting > Reset password (even if not password-related, it can reset RDP).
For domain-joined VMs, verify domain controller connectivity with `Test-ComputerSecureChannel -verbose` and repair if broken.
Additional Information
Additional Fixes
- Restart the VM from the Azure portal (can resolve transient issues).
- Reset network interface: VM > Networking > Select the network interface > Overview > Reset network interface.
- If in a VNet with VPN/site-to-site, ensure routes allow traffic and no OS firewall on VM blocks it.
- Check for high CPU/memory via portal metrics, as it can cause connectivity drops.
- If nothing works, use Azure Bastion for secure RDP access (VM > Connect > Bastion)
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
23 September 2025
UID
ibm17245950