Today, I was working with a customer who had some issues with a VPN connection from Azure to his on-premises environment. After checking the configuration, everything seemed to be okay. I decided to run some logging on the VPN connection from the Azure side, to see if I could pin-point the issue. For that, I usually use the following script, of course after logging in to Azure in Powershell using add-azureaccount:
1
2
3
4
5
6
7
8
|
$subscriptionName = (Get-AzureSubscription).SubscriptionName | Out-GridView -Title "Select Azure Subscription" -PassThru
Select-AzureSubscription -SubscriptionName $subscriptionName
$storageAccountName = (Get-AzureStorageAccount).StorageAccountName | Out-GridView -Title "Select Azure Storage Account" -PassThru
$storageAccountKey = (Get-AzureStorageKey -StorageAccountName $storageAccountName).Primary
$storageContext = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey
$azureVNet = (Get-AzureVNetSite).Name | Out-GridView -Title "Select Azure VNet" -PassThru
$captureDuration = 300
Start-AzureVNetGatewayDiagnostics -VNetName $azureVNet -StorageContext $storageContext -CaptureDurationInSeconds $captureDuration
|
This script prompts to select your Azure Subscription, Storage Account and vNet, and then starts 300 seconds of logging on the vNetGateway in that vNet, writing the output of these logs to the Storage Account you specified.
However, when the start-azurevnetgatewaydiagnostics cmdlet was run, I received an error that the StorageContext could not be read. After some Google searches, I found out I was running in to this issue. As discussed there, uninstalling the Azure module and reinstalling it using the 3.8.0 version solved my issue and I could start the logging.
Once done, you can retrieve the logged data using the following code:
1
2
3
|
$logUrl = (Get-AzureVNetGatewayDiagnostics -VNetName $azureVNet).DiagnosticsUrl
$logContent = (Invoke-WebRequest -Uri $logUrl).RawContent
$logContent | Out-File -FilePath c:\temp\vpnlog.txt
|
In my case, it turned out there was a mismatch in the preshared key between the Azure side of the VPN connection and the on-premises firewall.
If you want to retrieve the PSK’s of all VPN’s in a specific vNet, you can do that using PowerShell.
1
2
3
4
|
$subscriptionName = (Get-AzureSubscription).SubscriptionName | Out-GridView -Title "Select Azure Subscription" -PassThru
Select-AzureSubscription -SubscriptionName $subscriptionName
$azureVNet = (Get-AzureVNetSite).Name | Out-GridView -Title "Select Azure VNet" -PassThru
(Get-AzureVNetSite -VNetName $azureVNet).gatewaysites | foreach {Write-host “Local Site: $($_.name) Key: $((Get-AzureVNetGatewayKey -VNetName $azureVNet -LocalNetworkSiteName $_.Name).Value)” }
|
This prompts for your subscription and vNet name, and outputs the PSK’s of all VPN’s in that vNet.