Troubleshooting Azure VPNs
In today’s Ask the Admin, I’ll show you how to enable VPN gateway diagnostics and download the resulting logs from Azure storage.
A site-to-site VPN enables you to securely connect your on-premise network to the Azure cloud, enabling users to seamlessly access Azure resources or extend existing systems into the cloud, or a VNET-to-VNET VPN connects two or more Azure virtual networks. For more information on configuring VNET-to-VNET VPNs, see Deploying VNet-to-VNet VPNs in Azure on the Petri IT Knowledgebase.
In principle, VPNs are not difficult to configure in Azure but can be prone to errors, especially in the case of site-to-site VPNs, where you’re connecting to a local VPN device. If you’re thinking of utilizing this kind of VPN, I’d recommend purchasing an Azure support plan because you can only take debugging problems so far without full access to the VPN device on the Azure side. Nevertheless, logging can be enabled to help troubleshoot issues if you can’t connect to an Azure VPN gateway. Don’t forget that the logs on a local VPN device might also give some useful troubleshooting clues.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Before getting started, you’ll need to make sure you have the PowerShell module for Azure installed on your management PC, and a connection to your subscription configured. For details on how to set up PowerShell management, see Setup Windows Azure PowerShell Management on Petri.
Enable VPN gateway diagnostics
Start by opening a PowerShell prompt, and if you haven’t already done so, use the Set-AzureSubscription cmdlet to configure PowerShell to use your Azure subscription and selected storage account, replacing Pay-As-You-Go with the name of your Azure subscription, and mystorageaccount with the name of the storage account you want to work with:
$storageAccountName = 'mystorageaccount' $subscriptionName = 'Pay-As-You-Go' Set-AzureSubscription –SubscriptionName $subscriptionName -CurrentStorageAccount $storageAccountName
Azure writes the diagnostic logs to an Azure storage account. To enable this functionality, we need to provide the Start-AzureVNetGatewayDiagnostics cmdlet with the storage account context. Below we’ll set the storage context ready for the Start-AzureVNetGatewayDiagnostics cmdlet to use:
$storageAccountKey = (Get-AzureStorageKey -StorageAccountName $storageAccountName).Primary $storageContext = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey
Now let’s set the name of the Azure virtual network we want to monitor and the capture duration in seconds:
$azureVNet = 'CONTOSO' $captureDuration = 60
Finally, we can start diagnostics:
Start-AzureVNetGatewayDiagnostics -VNetName $azureVNet -StorageContext $storageContext -CaptureDurationInSeconds $captureDuration Sleep -Seconds $captureDuration
Download the logs from Azure storage
Once the capture has completed, you’ll need to download the log from Azure storage and save the contents to a local file:
$logUrl = (Get-AzureVNetGatewayDiagnostics -VNetName $azureVNet).DiagnosticsUrl $logContent = (Invoke-WebRequest -Uri $logUrl).RawContent $logContent | Out-File -FilePath c:\temp\vpnlog.txt
Now open the vpnlog.txt file to view the log.