Troubleshooting Azure VPNs

Cloud Hero Azure

In today’s Ask the Admin, I’ll show you how to enable VPN gateway diagnostics and download the resulting logs from Azure storage.

A site-to-site VPN enables you to securely connect your on-premise network to the Azure cloud, enabling users to seamlessly access Azure resources or extend existing systems into the cloud, or a VNET-to-VNET VPN connects two or more Azure virtual networks. For more information on configuring VNET-to-VNET VPNs, see Deploying VNet-to-VNet VPNs in Azure on the Petri IT Knowledgebase.

In principle, VPNs are not difficult to configure in Azure but can be prone to errors, especially in the case of site-to-site VPNs, where you’re connecting to a local VPN device. If you’re thinking of utilizing this kind of VPN, I’d recommend purchasing an Azure support plan because you can only take debugging problems so far without full access to the VPN device on the Azure side. Nevertheless, logging can be enabled to help troubleshoot issues if you can’t connect to an Azure VPN gateway. Don’t forget that the logs on a local VPN device might also give some useful troubleshooting clues.

Before getting started, you’ll need to make sure you have the PowerShell module for Azure installed on your management PC, and a connection to your subscription configured. For details on how to set up PowerShell management, see Setup Windows Azure PowerShell Management on Petri.

Enable VPN gateway diagnostics

Start by opening a PowerShell prompt, and if you haven’t already done so, use the Set-AzureSubscription cmdlet to configure PowerShell to use your Azure subscription and selected storage account, replacing Pay-As-You-Go with the name of your Azure subscription, and mystorageaccount with the name of the storage account you want to work with:

​$storageAccountName = 'mystorageaccount' 
$subscriptionName = 'Pay-As-You-Go'

Set-AzureSubscription –SubscriptionName $subscriptionName -CurrentStorageAccount $storageAccountName

Azure writes the diagnostic logs to an Azure storage account. To enable this functionality, we need to provide the Start-AzureVNetGatewayDiagnostics cmdlet with the storage account context. Below we’ll set the storage context ready for the Start-AzureVNetGatewayDiagnostics cmdlet to use:

​$storageAccountKey = (Get-AzureStorageKey -StorageAccountName $storageAccountName).Primary

$storageContext = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey

Now let’s set the name of the Azure virtual network we want to monitor and the capture duration in seconds:

​$azureVNet = 'CONTOSO'

$captureDuration = 60

Finally, we can start diagnostics:

​Start-AzureVNetGatewayDiagnostics -VNetName $azureVNet -StorageContext $storageContext -CaptureDurationInSeconds $captureDuration

Sleep -Seconds $captureDuration

Download the logs from Azure storage

Once the capture has completed, you’ll need to download the log from Azure storage and save the contents to a local file:

​$logUrl = (Get-AzureVNetGatewayDiagnostics -VNetName $azureVNet).DiagnosticsUrl

$logContent = (Invoke-WebRequest -Uri $logUrl).RawContent

$logContent | Out-File -FilePath c:\temp\vpnlog.txt

Now open the vpnlog.txt file to view the log.