Troubleshooting ARP Failures on Azure ExpressRoute
"A pragmatic guide to diagnosing Layer 2 connectivity and ARP resolution failures on Azure ExpressRoute circuits."
When bringing up a new Azure ExpressRoute connection, the most critical (and often most problematic) phase is establishing Layer 2 connectivity between your Customer Edge (CE) router and the Microsoft Enterprise Edge (MSEE) routers. If ARP fails, BGP will never establish.
Identifying the Problem
If the circuit status shows as Provisioned in the Azure portal, but you cannot ping the Microsoft peering IP, you likely have an ARP issue. The first step is to verify if your router sees the MSEE's MAC address.
Querying the Azure backend to see if Microsoft sees your MAC address.
Age InterfaceProperty IpAddress MacAddress
10 On-Prem 10.0.0.1 Incomplete
0 Microsoft 10.0.0.2 12:34:56:78:9A:BC
If the MacAddress for your On-Prem IP shows up as Incomplete, it means Azure is sending ARP requests, but your router is not responding (or the traffic is being dropped in the provider cloud).
Common Resolutions
- VLAN Tag Mismatch: Ensure that the C-Tag (Customer Tag) configured on your sub-interface perfectly matches the VLAN ID specified in the Azure ExpressRoute Peering configuration.
- Q-in-Q Stripping: If you are connecting through a carrier Ethernet service, ensure the provider is not stripping your 802.1Q tags before handing the frame off to Microsoft.
- Subnet Mask Errors: Azure requires a
/30subnet for peering. Ensure your router interface is configured with255.255.255.252.
Proactive Monitoring of ExpressRoute Connectivity
To prevent ExpressRoute outages and minimize troubleshooting time during active network disruptions:
- Azure Network Watcher: Configure connection monitors within Azure Network Watcher to continuously ping and measure latency to your on-premises edge devices over the ExpressRoute path.
- BGP Route Monitoring: Set up Azure Service Health alerts to notify your engineering team immediately if a BGP routing peer drops or if there is a sudden change in advertised prefixes.
- Redundant Peer Validation: Routinely test your primary and secondary ExpressRoute circuits during planned maintenance windows to verify that failover operates seamlessly and that asymmetric routing does not occur.
Maintaining clear, real-time visibility into your ExpressRoute peering state ensures quick resolution of cross-premises routing problems and keeps critical hybrid applications running smoothly.
