Azure Bastion 疑难解答Troubleshoot Azure Bastion

本文介绍如何对 Azure Bastion 进行排除故障。This article shows you how to troubleshoot Azure Bastion.

无法在 AzureBastionSubnet 上创建网络安全组 (NSG)Unable to create an NSG on AzureBastionSubnet

问: 我尝试在 Azure Bastion 子网上创建 NSG 时,遇到以下错误:“网络安全组 没有 Azure Bastion 子网 AzureBastionSubnet 必需的规则”。Q: When I try to create an NSG on the Azure Bastion subnet, I get the following error: 'Network security group does not have necessary rules for Azure Bastion Subnet AzureBastionSubnet".

答: 如果要创建 NSG 并将其应用到 AzureBastionSubnet,请确保已在 NSG 中添加以下规则。A: If you create and apply an NSG to AzureBastionSubnet, make sure you have added the following rules in your NSG. 如果未添加它们,则 NSG 创建/更新操作将失败。If you do not add these rules, the NSG creation/update will fail.

  1. 控制平面连接 - 在端口 443 上从 GatewayManager 入站Control plane connectivity - Inbound on 443 from GatewayManager
  2. 诊断日志记录和其他 - 在端口 443 上出站到 AzureCloud(尚不支持此服务标记中的区域标记。)Diagnostics logging and others - Outbound on 443 to AzureCloud (Regional tags within this service tag are not supported yet.)
  3. 目标 VM - 端口 3389 和 22 上出站到 VirtualNetworkTarget VM - Outbound for 3389 and 22 to VirtualNetwork

快速启动模板中提供了 NSG 规则的示例以供参考。An example of the NSG rules is available for reference in the quickstart template. 有关详细信息,请参阅 Azure 服务的 NSG 指南For more information, see NSG guidance for Azure Bastion.

无法将 SSH 密钥用于 Azure BastionUnable to use my SSH key with Azure Bastion

问: 我在尝试浏览我的 SSH 密钥文件时,遇到以下错误:“SSH 私钥必须以 -----BEGIN RSA PRIVATE KEY----- 开头,以 -----END RSA PRIVATE KEY----- 结尾”。Q: When I try to browse my SSH key file, I get the following error: 'SSH Private key must start with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----'.

答: Azure Bastion 目前仅支持 RSA SSH 密钥。A: Azure Bastion supports only RSA SSH keys, at this point in time. 请确保你浏览的密钥文件是 SSH 的 RSA 私钥,且目标 VM 上预配了公钥。Make sure that you browse a key file that is RSA private key for SSH, with public key provisioned on the target VM.

例如,你可使用以下命令来创建新的 RSA SSH 密钥:As an example, you can use the following command to create a new RSA SSH key:

ssh-keygen -t rsa -b 4096 -C "email@domain.com"ssh-keygen -t rsa -b 4096 -C "email@domain.com"

输出:Output:

ashishj@dreamcatcher:~$ ssh-keygen -t rsa -b 4096 -C "email@domain.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ashishj/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ashishj/.ssh/id_rsa.
Your public key has been saved in /home/ashishj/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:c+SBciKXnwceaNQ8Ms8C4h46BsNosYx+9d+AUxdazuE email@domain.com
The key's randomart image is:
+---[RSA 4096]----+
|      .o         |
| .. ..oo+. +     |
|=.o...B==.O o    |
|==o  =.*oO E     |
|++ .. ..S =      |
|oo..   + =       |
|...     o o      |
|         . .     |
|                 |
+----[SHA256]-----+

无法登录已加入域的 Windows 虚拟机Unable to sign in to my Windows domain-joined virtual machine

问: 我无法连接到已加入域的 Windows 虚拟机。Q: I am unable to connect to my Windows virtual machine that is domain-joined.

答: Azure Bastion 仅支持采用用户名和密码来登录已加入域的 VM。A: Azure Bastion supports domain-joined VM sign in for username-password based domain sign-in only. 在 Azure 门户中指定域凭据时,请使用 UPN (username@domain) 格式进行登录,而不是使用 domain\username 格式。When specifying the domain credentials in the Azure portal, use the UPN (username@domain) format instead of domain\username format to sign in. 这可用于已加入域或已加入混合(已加入域且已加入 Azure AD)的虚拟机,This is supported for domain-joined or hybrid-joined (both domain-joined as well as Azure AD-joined) virtual machines. 不可用于仅加入了 Azure AD 的虚拟机。It is not supported for Azure AD-joined-only virtual machines.

文件传输问题File transfer issues

问: Azure Bastion 是否支持文件传输?Q: Is file transfer supported with Azure Bastion?

答: 目前不支持文件传输。A: File transfer is not supported at this time. 我们正在努力添加该项支持。We are working on adding support.

Azure 门户中出现黑屏Black screen in the Azure portal

问: 我在尝试使用 Azure Bastion 进行连接时,Azure 门户中出现黑屏现象。Q: When I try to connect using Azure Bastion, I get a black screen in the Azure portal.

答: 如果 Web 浏览器与 Azure Bastion 之间出现网络连接问题(诸如客户端 Internet 防火墙可能正在阻止 WebSockets 流量之类的),或者 Azure Bastion 与目标 VM 之间出现网络连接问题,则会出现此情况。A: This happens when there is either a network connectivity issue between your web browser and Azure Bastion (your client Internet firewall may be blocking WebSockets traffic or similar), or between the Azure Bastion and your target VM. 大多数情况是 AzureBastionSubnet 或目标 VM 子网上应用了一个 NSG 来阻止你的虚拟机中的 RDP/SSH 流量。Most cases include an NSG applied either to AzureBastionSubnet, or on your target VM subnet that is blocking the RDP/SSH traffic in your virtual network. 请允许客户端 Internet 防火墙上的 WebSockets 流量,并检查目标 VM 子网上的 NSG。Allow WebSockets traffic on your client internet firewall, and check the NSGs on your target VM subnet.

后续步骤Next steps

有关详细信息,请参阅 Bastion 常见问题解答For more information, see the Bastion FAQ.