![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 54%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 22%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Hi @Kalan,
Thank you for reaching out on Microsoft Q&A forum.
I understand that you are unable to connect to an ASR test failover VM despite verifying credentials and running the Bastion troubleshooter, and that you do not have direct access to the VM to collect logs. Let us work through the key checks to help identify and resolve the issue.
Initial Checks:
VM Status
- Ensure the VM is in a running state in the Azure portal.
Bastion Provisioning
- Verify that the Azure Bastion resource is in a succeeded provisioning state and deployed in the same virtual network as the VM.
Network Configuration
- The VM must be in a virtual network that supports IPv4. IPv6-only environments are not supported by Bastion.
- Confirm the VM is in the correct subnet and that an AzureBastionSubnet exists.
- Ensure the VM is not in a Private DNS zone with suffixes like core.windows.net or azure.com.
NSG Rules
- Review NSG rules for both the AzureBastionSubnet and the VM’s subnet.
- Ensure inbound rules allow traffic from the Bastion subnet.
- Port 3389 should be open for Windows VMs and port 22 should be open for Linux VMs.
Credential Format
- If the VM is domain-joined, use the format ******@domain.com instead of domain\username when logging in via Bastion.
- Bastion does not support Azure AD-only authentication for login.
ASR Test Failover Considerations
- In ASR test failover scenarios, the VM may not boot properly due to incompatible VM sizes or disk formats.
- Check Boot Diagnostics in the portal for errors such as “No operating system was loaded” or “No UEFI-compatible file system found.”
- Review the failover VM in Recovery Services vaults → <Vault Name> → Replicated items → <VM Name> to ensure it is fully initialized and replication is complete.
- Optionally, if needed, you can deploy a temporary jump VM in the same VNet to verify network connectivity to the failover VM.
Note: In ASR test failover scenarios, if the source VM was domain-joined but the failover network does not have connectivity to the production domain controllers, domain credentials will not work. In such cases, always use a local administrator account to log in via Bastion (e.g., VMNAME\localuser). This ensures you can still access and validate the VM even when domain authentication is unavailable.
If the issue continues, please provide details such as VM size and OS type, VNet and subnet configuration, NSG rules applied, and the exact error message received when connecting via Bastion.
Please try the above steps and let us know if the issue persists or if you need further assistance. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.