Troubleshooting Azure VPNs
In today’s Ask the Admin, I’ll show you how to enable VPN gateway diagnostics and download the resulting logs from Azure storage.
A site-to-site VPN enables you to securely connect your on-premise network to the Azure cloud, enabling users to seamlessly access Azure resources or extend existing systems into the cloud, or a VNET-to-VNET VPN connects two or more Azure virtual networks. For more information on configuring VNET-to-VNET VPNs, see Deploying VNet-to-VNet VPNs in Azure on the Petri IT Knowledgebase.
In principle, VPNs are not difficult to configure in Azure but can be prone to errors, especially in the case of site-to-site VPNs, where you’re connecting to a local VPN device. If you’re thinking of utilizing this kind of VPN, I’d recommend purchasing an Azure support plan because you can only take debugging problems so far without full access to the VPN device on the Azure side. Nevertheless, logging can be enabled to help troubleshoot issues if you can’t connect to an Azure VPN gateway. Don’t forget that the logs on a local VPN device might also give some useful troubleshooting clues.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Before getting started, you’ll need to make sure you have the PowerShell module for Azure installed on your management PC, and a connection to your subscription configured. For details on how to set up PowerShell management, see Setup Windows Azure PowerShell Management on Petri.
Enable VPN gateway diagnostics
Start by opening a PowerShell prompt, and if you haven’t already done so, use the Set-AzureSubscription cmdlet to configure PowerShell to use your Azure subscription and selected storage account, replacing Pay-As-You-Go with the name of your Azure subscription, and mystorageaccount with the name of the storage account you want to work with:
$storageAccountName = 'mystorageaccount' $subscriptionName = 'Pay-As-You-Go' Set-AzureSubscription –SubscriptionName $subscriptionName -CurrentStorageAccount $storageAccountName
Azure writes the diagnostic logs to an Azure storage account. To enable this functionality, we need to provide the Start-AzureVNetGatewayDiagnostics cmdlet with the storage account context. Below we’ll set the storage context ready for the Start-AzureVNetGatewayDiagnostics cmdlet to use:
$storageAccountKey = (Get-AzureStorageKey -StorageAccountName $storageAccountName).Primary $storageContext = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey
Now let’s set the name of the Azure virtual network we want to monitor and the capture duration in seconds:
$azureVNet = 'CONTOSO' $captureDuration = 60
Finally, we can start diagnostics:
Start-AzureVNetGatewayDiagnostics -VNetName $azureVNet -StorageContext $storageContext -CaptureDurationInSeconds $captureDuration Sleep -Seconds $captureDuration
Download the logs from Azure storage
Once the capture has completed, you’ll need to download the log from Azure storage and save the contents to a local file:
$logUrl = (Get-AzureVNetGatewayDiagnostics -VNetName $azureVNet).DiagnosticsUrl $logContent = (Invoke-WebRequest -Uri $logUrl).RawContent $logContent | Out-File -FilePath c:\temp\vpnlog.txt
Now open the vpnlog.txt file to view the log.