通过 VPN 网关诊断本地连接Diagnose on-premises connectivity via VPN gateways

使用 Azure VPN 网关可以创建混合解决方案,解决在本地网络与 Azure 虚拟网络之间建立安全连接的需求。Azure VPN Gateway enables you to create hybrid solution that address the need for a secure connection between your on-premises network and your Azure virtual network. 每个人的要求都是独一无二的,选择的本地 VPN 设备也是如此。As your requirements are unique, so is the choice of on-premises VPN device. Azure 目前支持多种 VPN 设备,我们正在持续与设备供应商合作验证这些设备。Azure currently supports several VPN devices that are constantly validated in partnership with the device vendors. 在配置本地 VPN 设备之前,请查看特定于设备的配置设置。Review the device-specific configuration settings before configuring your on-premises VPN device. 同样,Azure VPN 网关中配置了一组受支持的 IPsec 参数用于建立连接。Similarly, Azure VPN Gateway is configured with a set of supported IPsec parameters that are used for establishing connections. 目前无法在 Azure VPN 网关中指定或选择 IPsec 参数的特定组合。Currently there is no way for you to specify or select a specific combination of IPsec parameters from the Azure VPN Gateway. 若要在本地与 Azure 之间成功建立连接,本地 VPN 设备设置必须符合 Azure VPN 网关规定的 IPsec 参数。For establishing a successful connection between on-premises and Azure, the on-premises VPN device settings must be in accordance with the IPsec parameters prescribed by Azure VPN Gateway. 如果设置正确,则会导致连接断开,而到目前为止,排查这些问题并非小事一桩,通常需要花费几个小时来识别和修复问题。If the settings are incorrect, there is a loss of connectivity and until now troubleshooting these issues was not trivial and usually took hours to identify and fix the issue.

使用 Azure 网络观察程序故障排除功能,可以诊断任何网关和连接问题,在几分钟内获得足够的信息,就如何解决问题做出明智的决策。With the Azure Network Watcher troubleshoot feature, you are able to diagnose any issues with your Gateway and Connections and within minutes have enough information to make an informed decision to rectify the issue.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

场景Scenario

想要使用 FortiGate 作为本地 VPN 网关,在 Azure 与本地之间配置站点到站点连接。You want to configure a site-to-site connection between Azure and on-premises using FortiGate as the on-premises VPN Gateway. 若要实现此方案,需要进行以下设置:To achieve this scenario, you would require the following setup:

  1. 虚拟网络网关 - Azure 上的 VPN 网关Virtual Network Gateway - The VPN Gateway on Azure
  2. 本地网络网关 - Azure 云中的本地 (FortiGate) VPN 网关表示形式Local Network Gateway - The on-premises (FortiGate) VPN Gateway representation in Azure cloud
  3. 站点到站点连接(基于路由)- VPN 网关与本地路由器之间的连接Site-to-site connection (route based) - Connection between the VPN Gateway and the on-premises router
  4. 配置 FortiGateConfiguring FortiGate

有关站点到站点配置的详细分步指南,请访问:使用 Azure 门户创建具有站点到站点连接的 VNetDetailed step by step guidance for configuring a Site-to-Site configuration can be found by visiting: Create a VNet with a Site-to-Site connection using the Azure portal.

一个关键的配置步骤是配置 IPsec 通信参数,任何不当的配置都会导致本地网络与 Azure 之间的连接断开。One of the critical configuration steps is configuring the IPsec communication parameters, any misconfiguration leads to loss of connectivity between the on-premises network and Azure. 目前,Azure VPN 网关配置为支持第 1 阶段的以下 IPsec 参数。Currently Azure VPN Gateways are configured to support the following IPsec parameters for Phase 1. 如下表中所示,Azure VPN 网关支持的加密算法包括 AES256、AES128、和 3DES。As you can see in the table below, the encryption algorithms supported by Azure VPN Gateway are AES256, AES128, and 3DES.

IKE 第 1 阶段设置IKE phase 1 setup

属性Property PolicyBasedPolicyBased RouteBased 和标准或高性能 VPN 网关RouteBased and Standard or High-Performance VPN gateway
SDK 版本IKE Version IKEv1IKEv1 IKEv2IKEv2
Diffie-Hellman 组Diffie-Hellman Group 组 2(1024 位)Group 2 (1024 bit) 组 2(1024 位)Group 2 (1024 bit)
身份验证方法Authentication Method 预共享密钥Pre-Shared Key 预共享密钥Pre-Shared Key
加密算法Encryption Algorithms AES256 AES128 3DESAES256 AES128 3DES AES256 3DESAES256 3DES
哈希算法Hashing Algorithm SHA1(SHA128)SHA1(SHA128) SHA1(SHA128)、SHA2(SHA256)SHA1(SHA128), SHA2(SHA256)
阶段 1 安全关联 (SA) 生命周期(时间)Phase 1 Security Association (SA) Lifetime (Time) 28,800 秒28,800 seconds 28,800 秒28,800 seconds

用户需要配置 FortiGate,在 GitHub 上可以找到示例配置。As a user, you would be required to configure your FortiGate, a sample configuration can be found on GitHub. 无意中将 FortiGate 配置为使用 SHA-512 作为哈希算法。Unknowingly you configured your FortiGate to use SHA-512 as the hashing algorithm. 由于基于策略的连接不支持此算法,因此 VPN 连接无法正常工作。As this algorithm is not a supported algorithm for policy-based connections, your VPN connection does work.

这些问题很难排查,其根本原因通常并不明显。These issues are hard to troubleshoot and root causes are often non-intuitive. 在这种情况下,可以开具支持票证,请求帮助解决此问题。In this case, you can open a support ticket to get help on resolving the issue. 但如果使用 Azure 网络观察程序故障排除 API,则可以自行识别这些问题。But with Azure Network Watcher troubleshoot API, you can identify these issues on your own.

使用 Azure 网络观察程序进行故障排除Troubleshooting using Azure Network Watcher

若要诊断连接,请连接到 Azure PowerShell 并启动 Start-AzNetworkWatcherResourceTroubleshooting cmdlet。To diagnose your connection, connect to Azure PowerShell and initiate the Start-AzNetworkWatcherResourceTroubleshooting cmdlet. 可以在 Troubleshoot Virtual Network Gateway and connections - PowerShell(排查虚拟网络网关和连接问题 - PowerShell)中找到有关使用此 cmdlet 的详细信息。You can find the details on using this cmdlet at Troubleshoot Virtual Network Gateway and connections - PowerShell. 此 cmdlet 最长可能需要几分钟时间才能完成。This cmdlet may take up to few minutes to complete.

完成该 cmdlet 后,可以导航到该 cmdlet 中指定的存储位置,获取有关问题和日志的详细信息。Once the cmdlet completes, you can navigate to the storage location specified in the cmdlet to get detailed information on about the issue and logs. Azure 网络观察程序创建包含以下日志文件的 zip 文件夹:Azure Network Watcher creates a zip folder that contains the following log files:

1

打开名为 IKEErrors.txt 的文件,其中显示了以下错误,指出存在本地 IKE 设置配置不当的问题。Open the file called IKEErrors.txt and it displays the following error, indicating an issue with on-premises IKE setting misconfiguration.

Error: On-premises device rejected Quick Mode settings. Check values.
     based on log : Peer sent NO_PROPOSAL_CHOSEN notify

可以通过 Scrubbed-wfpdiag.txt 获取有关错误的详细信息,在本例中,该文件指出 ERROR_IPSEC_IKE_POLICY_MATCH 导致连接无法正常工作。You can get detailed information from the Scrubbed-wfpdiag.txt about the error, as in this case it mentions that there was ERROR_IPSEC_IKE_POLICY_MATCH that lead to connection not working properly.

另一种常见的不当配置是指定了错误的共享密钥。Another common misconfiguration is the specifying incorrect shared keys. 如果在前面的示例中指定不同的共享密钥,IKEErrors.txt 会显示以下错误:Error: Authentication failed. Check shared keyIf in the preceding example you had specified different shared keys, the IKEErrors.txt shows the following error: Error: Authentication failed. Check shared key.

借助 Azure 网络观察程序故障排除功能,可以使用一个简单易用的 PowerShell cmdlet 来诊断和排查 VPN 网关与连接问题。Azure Network Watcher troubleshoot feature enables you to diagnose and troubleshoot your VPN Gateway and Connection with the ease of a simple PowerShell cmdlet. 目前我们支持诊断以下状态,并且正在努力添加更多状态的诊断。Currently we support diagnosing the following conditions and are working towards adding more condition.

网关Gateway

错误类型Fault Type 原因Reason 日志Log
NoFaultNoFault 未检测到任何错误。When no error is detected. Yes
GatewayNotFoundGatewayNotFound 找不到网关,或网关未预配。Cannot find Gateway or Gateway is not provisioned. No
PlannedMaintenancePlannedMaintenance 网关实例处于维护状态。Gateway instance is under maintenance. No
UserDrivenUpdateUserDrivenUpdate 用户更新正在进行。When a user update is in progress. 可能是正在执行大小调整操作。This could be a resize operation. No
VipUnResponsiveVipUnResponsive 无法访问网关的主实例。Cannot reach the primary instance of the Gateway. 运行状况探测失败时会发生这种情况。This happens when the health probe fails. No
PlatformInActivePlatformInActive 平台出现问题。There is an issue with the platform. No
ServiceNotRunningServiceNotRunning 底层服务未运行。The underlying service is not running. No
NoConnectionsFoundForGatewayNoConnectionsFoundForGateway 网关未建立连接。No Connections exists on the gateway. 这只是一条警告。This is only a warning. No
ConnectionsNotConnectedConnectionsNotConnected 未连接任何连接设备。None of the Connections are connected. 这只是一条警告。This is only a warning. Yes
GatewayCPUUsageExceededGatewayCPUUsageExceeded 当前网关 CPU 使用率超过 95%。The current Gateway usage CPU usage is > 95%. Yes

连接Connection

错误类型Fault Type 原因Reason 日志Log
NoFaultNoFault 未检测到任何错误。When no error is detected. Yes
GatewayNotFoundGatewayNotFound 找不到网关,或网关未预配。Cannot find Gateway or Gateway is not provisioned. No
PlannedMaintenancePlannedMaintenance 网关实例处于维护状态。Gateway instance is under maintenance. No
UserDrivenUpdateUserDrivenUpdate 用户更新正在进行。When a user update is in progress. 可能是正在执行大小调整操作。This could be a resize operation. No
VipUnResponsiveVipUnResponsive 无法访问网关的主实例。Cannot reach the primary instance of the Gateway. 运行状况探测失败时会发生这种情况。It happens when the health probe fails. No
ConnectionEntityNotFoundConnectionEntityNotFound 缺少连接配置。Connection configuration is missing. No
ConnectionIsMarkedDisconnectedConnectionIsMarkedDisconnected 连接标记为“断开连接”。The Connection is marked "disconnected." No
ConnectionNotConfiguredOnGatewayConnectionNotConfiguredOnGateway 未在底层服务上配置连接。The underlying service does not have the Connection configured. Yes
ConnectionMarkedStandbyConnectionMarkedStandby 底层服务标记为备用。The underlying service is marked as standby. Yes
AuthenticationAuthentication 预共享密钥不匹配。Preshared Key mismatch. Yes
PeerReachabilityPeerReachability 无法访问对等网关。The peer gateway is not reachable. Yes
IkePolicyMismatchIkePolicyMismatch 对等网关中的 IKE 策略不受 Azure 支持。The peer gateway has IKE policies that are not supported by Azure. Yes
WfpParse ErrorWfpParse Error 分析 WFP 日志时出错。An error occurred parsing the WFP log. Yes

后续步骤Next steps

访问 Monitor VPN gateways with Azure Network Watcher troubleshooting(使用 Azure 网络观察程序故障排除监视 VPN 网关),了解如何使用 PowerShell 和 Azure 自动化检查 VPN 网关连接Learn to check VPN Gateway connectivity with PowerShell and Azure Automation by visiting Monitor VPN gateways with Azure Network Watcher troubleshooting