Troubleshoot VPN virtual network gateways and connections using PowerShell
In this article, you learn how to use Network Watcher VPN troubleshoot capability to diagnose and troubleshoot VPN virtual network gateways and their connections to solve connectivity issues between your virtual network and on-premises network. VPN troubleshoot requests are long running requests, which could take several minutes to return a result. The logs from troubleshooting are stored in a container on a storage account that is specified.
An Azure account with an active subscription. create a trial subscription.
A Network Watcher enabled in the region of the virtual network gateway. For more information, see Enable or disable Azure Network Watcher.
A virtual network gateway. For more information about supported gateway types, see Supported gateway types.
Azure PowerShell.
You can install Azure PowerShell locally to run the cmdlets. This article requires the Az PowerShell module. For more information, see How to install Azure PowerShell. To find the installed version, run
Get-InstalledModule -Name Az. If you run PowerShell locally, sign in to Azure using the Connect-AzAccount -Environment AzureChinaCloud cmdlet.
In this section, you learn how to troubleshoot a VPN virtual network gateway or a VPN connection using an existing storage account.
Use Start-AzNetworkWatcherResourceTroubleshooting to start troubleshooting the VPN gateway.
# Place the virtual network gateway configuration into a variable.
$vng = Get-AzVirtualNetworkGateway -Name 'myGateway' -ResourceGroupName 'myResourceGroup'
# Place the storage account configuration into a variable.
$sa = Get-AzStorageAccount -ResourceGroupName 'myResourceGroup' -Name 'mystorageaccount'
# Start VPN troubleshoot session.
Start-AzNetworkWatcherResourceTroubleshooting -Location 'chinaeast' -TargetResourceId $vng.Id -StorageId $sa.Id -StoragePath 'https://mystorageaccount.blob.core.chinacloudapi.cn/{containerName}'
After the troubleshooting request is completed, healthy or unhealthy is returned. Detailed logs are stored in the storage account container you specified in the previous command. For more information, see Log files. You can use Storage explorer or any other way you prefer to access and download the logs. For more information, see Get started with Storage Explorer.
In this section, you learn how to troubleshoot a VPN virtual network gateway or a VPN connection using a new storage account.
Use New-AzStorageAccount and New-AzStorageContainer to create a new storage account and a container. Then, use Start-AzNetworkWatcherResourceTroubleshooting to start troubleshooting the VPN gateway.
# Place the virtual network gateway configuration into a variable.
$vng = Get-AzVirtualNetworkGateway -Name 'myGateway' -ResourceGroupName 'myResourceGroup'
# Create a new storage account.
$sa = New-AzStorageAccount -Name 'mystorageaccount' -SKU 'Standard_LRS' -ResourceGroupName 'myResourceGroup' -Location 'chinaeast'
# Create a container.
Set-AzCurrentStorageAccount -ResourceGroupName $sa.ResourceGroupName -Name $sa.StorageAccountName
$sc = New-AzStorageContainer -Name 'vpn'
# Start VPN troubleshoot session.
Start-AzNetworkWatcherResourceTroubleshooting -Location 'chinaeast' -TargetResourceId $vng.Id -StorageId $sa.Id -StoragePath 'https://mystorageaccount.blob.core.chinacloudapi.cn/vpn'
After the troubleshooting request is completed, healthy or unhealthy is returned. Detailed logs are stored in the storage account container you specified in the previous command. For more information, see Log files. You can use Storage explorer or any other way you prefer to access and download the logs. For more information, see Get started with Storage Explorer.