Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Microsoft Azure

Troubleshooting Azure VPNs

Cloud Hero Azure

In today’s Ask the Admin, I’ll show you how to enable VPN gateway diagnostics and download the resulting logs from Azure storage.

A site-to-site VPN enables you to securely connect your on-premise network to the Azure cloud, enabling users to seamlessly access Azure resources or extend existing systems into the cloud, or a VNET-to-VNET VPN connects two or more Azure virtual networks. For more information on configuring VNET-to-VNET VPNs, see Deploying VNet-to-VNet VPNs in Azure on the Petri IT Knowledgebase.

In principle, VPNs are not difficult to configure in Azure but can be prone to errors, especially in the case of site-to-site VPNs, where you’re connecting to a local VPN device. If you’re thinking of utilizing this kind of VPN, I’d recommend purchasing an Azure support plan because you can only take debugging problems so far without full access to the VPN device on the Azure side. Nevertheless, logging can be enabled to help troubleshoot issues if you can’t connect to an Azure VPN gateway. Don’t forget that the logs on a local VPN device might also give some useful troubleshooting clues.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Before getting started, you’ll need to make sure you have the PowerShell module for Azure installed on your management PC, and a connection to your subscription configured. For details on how to set up PowerShell management, see Setup Windows Azure PowerShell Management on Petri.

Enable VPN gateway diagnostics

Start by opening a PowerShell prompt, and if you haven’t already done so, use the Set-AzureSubscription cmdlet to configure PowerShell to use your Azure subscription and selected storage account, replacing Pay-As-You-Go with the name of your Azure subscription, and mystorageaccount with the name of the storage account you want to work with:

​$storageAccountName = 'mystorageaccount' 
$subscriptionName = 'Pay-As-You-Go'

Set-AzureSubscription –SubscriptionName $subscriptionName -CurrentStorageAccount $storageAccountName

Azure writes the diagnostic logs to an Azure storage account. To enable this functionality, we need to provide the Start-AzureVNetGatewayDiagnostics cmdlet with the storage account context. Below we’ll set the storage context ready for the Start-AzureVNetGatewayDiagnostics cmdlet to use:

​$storageAccountKey = (Get-AzureStorageKey -StorageAccountName $storageAccountName).Primary

$storageContext = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey

Now let’s set the name of the Azure virtual network we want to monitor and the capture duration in seconds:

​$azureVNet = 'CONTOSO'

$captureDuration = 60

Finally, we can start diagnostics:

​Start-AzureVNetGatewayDiagnostics -VNetName $azureVNet -StorageContext $storageContext -CaptureDurationInSeconds $captureDuration

Sleep -Seconds $captureDuration

Download the logs from Azure storage

Once the capture has completed, you’ll need to download the log from Azure storage and save the contents to a local file:

​$logUrl = (Get-AzureVNetGatewayDiagnostics -VNetName $azureVNet).DiagnosticsUrl

$logContent = (Invoke-WebRequest -Uri $logUrl).RawContent

$logContent | Out-File -FilePath c:\temp\vpnlog.txt

Now open the vpnlog.txt file to view the log.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: