重置 VPN 网关或连接Reset a VPN gateway or a connection

如果丢失一个或多个站点到站点 VPN 隧道上的跨界 VPN 连接,重置 Azure VPN 网关或网关连接可有效解决该情况。Resetting an Azure VPN gateway or gateway connection is helpful if you lose cross-premises VPN connectivity on one or more Site-to-Site VPN tunnels. 在此情况下,本地 VPN 设备都在正常工作,但却无法与 Azure VPN 网关建立 IPsec 隧道。In this situation, your on-premises VPN devices are all working correctly, but are not able to establish IPsec tunnels with the Azure VPN gateways. 本文可帮助你重置 VPN 网关或网关连接。This article helps you reset a VPN gateway or gateway connection.

重置期间发生的情况What happens during a reset

网关重置Gateway reset

VPN 网关由在活动备用配置中运行的两个 VM 实例组成。A VPN gateway is composed of two VM instances running in an active-standby configuration. 重置网关时会重启网关,并对其重新应用跨界配置。When you reset the gateway, it reboots the gateway, and then reapplies the cross-premises configurations to it. 该网关将保持已有的公共 IP 地址。The gateway keeps the public IP address it already has. 这意味着不需要使用 Azure VPN 网关的新公共 IP 地址更新 VPN 路由器配置。This means you won�t need to update the VPN router configuration with a new public IP address for Azure VPN gateway.

发出重置网关命令后,会立即重新启动 Azure VPN 网关的当前活动实例。When you issue the command to reset the gateway, the current active instance of the Azure VPN gateway is rebooted immediately. 从活动实例(正在重新启动)故障转移到备用实例期间会有一个短暂的时间间隔。There will be a brief gap during the failover from the active instance (being rebooted), to the standby instance. 该时间间隔应不超过 1 分钟。The gap should be less than one minute.

如果在首次重新启动后未恢复连接,再次发出同一命令以重新启动第二个 VM 实例(新活动网关)。If the connection is not restored after the first reboot, issue the same command again to reboot the second VM instance (the new active gateway). 如果连续请求两次重新启动,则重新启动这两个 VM 实例(活动和备用)的时间可能会略长一些。If the two reboots are requested back to back, there will be a slightly longer period where both VM instances (active and standby) are being rebooted. 这种情况会导致 VPN 连接出现较长的时间间隔,VM 需要最多 30 到 45 分钟才能完成重新启动。This will cause a longer gap on the VPN connectivity, up to 30 to 45 minutes for VMs to complete the reboots.

在两次重新启动之后,如果仍然存在跨界连接问题,请从 Azure 门户提出支持请求。After two reboots, if you are still experiencing cross-premises connectivity problems, please open a support request from the Azure portal.

连接重置Connection reset

选择重置连接时,网关不会重新启动。When you select to reset a connection, the gateway does not reboot. 仅重置并还原所选连接。Only the selected connection is reset and restored.

重置连接Reset a connection

可使用 Azure 门户轻松重置连接。You can reset a connection easily using the Azure portal.

  1. 导航到要重置的连接。Navigate to the Connection that you want to reset. 可以通过以下方式查找连接资源:可以在“所有资源”中找到它,也可以导航到“网关名称”->“连接”->“连接名称”进行查找You can find the connection resource either by locating it in All resources, or by navigating to the 'Gateway Name' -> Connections -> 'Connection Name'

  2. 在“连接”页上,从左侧菜单中选择“重置”。On the Connection page, select Reset from the left menu.

  3. 在“重置”页上,单击“重置”以重置连接。On the Reset page, click Reset to reset the connection.

    显示重置的屏幕截图。

重置 VPN 网关Reset a VPN gateway

在重置网关之前,请为每个 IPsec 站点到站点 (S2S) VPN 隧道验证下面列出的重要项目。Before you reset your gateway, verify the key items listed below for each IPsec Site-to-Site (S2S) VPN tunnel. 如果项目中存在任何不匹配,将导致 S2S VPN 隧道断开连接。Any mismatch in the items will result in the disconnect of S2S VPN tunnels. 验证并更正本地网关和 Azure VPN 网关的配置能够避免网关上其他正在工作的连接出现不必要的重新启动和中断。Verifying and correcting the configurations for your on-premises and Azure VPN gateways saves you from unnecessary reboots and disruptions for the other working connections on the gateways.

在重置网关之前,请检查以下各项:Verify the following items before resetting your gateway:

  • 在 Azure 和本地 VPN 策略中,为 Azure VPN 网关和本地 VPN 网关配置的 Internet IP 地址 (VIP) 正确。The Internet IP addresses (VIPs) for both the Azure VPN gateway and the on-premises VPN gateway are configured correctly in both the Azure and the on-premises VPN policies.
  • 在 Azure 和本地 VPN 网关上,预共享的密钥必须相同。The pre-shared key must be the same on both Azure and on-premises VPN gateways.
  • 如果应用特定的 IPsec/IKE 配置,如加密、哈希算法和 PFS(完全向前保密),请确保 Azure 和本地 VPN 网关具有相同配置。If you apply specific IPsec/IKE configuration, such as encryption, hashing algorithms, and PFS (Perfect Forward Secrecy), ensure both the Azure and on-premises VPN gateways have the same configurations.

Azure 门户Azure portal

可使用 Azure 门户重置 Resource Manager VPN 网关。You can reset a Resource Manager VPN gateway using the Azure portal. 如果想要重置经典网关,请参阅经典部署模型的 PowerShell 步骤。If you want to reset a classic gateway, see the PowerShell steps for the Classic deployment model.

  1. 在门户中,导航到想要重置的虚拟网络网关。In the portal, navigate to the virtual network gateway that you want to reset.

  2. 在虚拟网络网关的页面上,选择“重置”。On the page for the virtual network gateway, select Reset.

    菜单 - 重置网关

  3. 在“重置”页上,单击“重置” 。On the Reset page, click Reset. 发出命令后,将立即重新启动 Azure VPN 网关的当前活动实例。Once the command is issued, the current active instance of the Azure VPN gateway is rebooted immediately. 重置网关将导致 VPN 连接中断,还可能会限制未来的问题根本原因分析。Resetting the gateway will cause a gap in VPN connectivity, and may limit future root cause analysis of the issue.

    重置网关

PowerShellPowerShell

Resource Manager 部署模型Resource Manager deployment model

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

用于重置网关的 cmdlet 是 Reset-AzVirtualNetworkGateway。The cmdlet for resetting a gateway is Reset-AzVirtualNetworkGateway. 进行重置前,请确保拥有最新版本的 PowerShell Az cmdletBefore performing a reset, make sure you have the latest version of the PowerShell Az cmdlets. 以下示例将重置 TestRG1 资源组中名为 VNet1GW 的虚拟网络网关:The following example resets a virtual network gateway named VNet1GW in the TestRG1 resource group:

$gw = Get-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1
Reset-AzVirtualNetworkGateway -VirtualNetworkGateway $gw

结果:Result:

收到返回结果时,可假定网关重置成功。When you receive a return result, you can assume the gateway reset was successful. 但返回结果没有明确指出重置成功。However, there is nothing in the return result that indicates explicitly that the reset was successful. 如要仔细查看历史记录,确定网关重置发生的确切时间,可在 Azure 门户中查看该信息。If you want to look closely at the history to see exactly when the gateway reset occurred, you can view that information in the Azure portal. 在门户中,导航到“GatewayName”->“资源运行状况”。In the portal, navigate to 'GatewayName' -> Resource Health.

经典部署模型Classic deployment model

用于重置网关的 cmdlet 是 Reset-AzureVNetGateway。The cmdlet for resetting a gateway is Reset-AzureVNetGateway. 进行重置前,请确保拥有最新版本的 Service Management (SM) PowerShell cmdletBefore performing a reset, make sure you have the latest version of the Service Management (SM) PowerShell cmdlets. 使用此命令时,请确保使用的是虚拟网络的全名。When using this command, make sure you are using the full name of the virtual network. 使用门户创建的经典 VNet 具有 PowerShell 所需的长名称。Classic VNets that were created using the portal have a long name that is required for PowerShell. 可以使用“Get-AzureVNetConfig -ExportToFile C:\Myfoldername\NetworkConfig.xml”查看长名称。You can view the long name by using 'Get-AzureVNetConfig -ExportToFile C:\Myfoldername\NetworkConfig.xml'.

以下示例重置名为“Group TestRG1 TestVNet1”的虚拟网络的网关(在门户中简单地显示为“TestVNet1”):The following example resets the gateway for a virtual network named "Group TestRG1 TestVNet1" (which shows as simply "TestVNet1" in the portal):

Reset-AzureVNetGateway -VnetName 'Group TestRG1 TestVNet1'

结果:Result:

Error          :
HttpStatusCode : OK
Id             : f1600632-c819-4b2f-ac0e-f4126bec1ff8
Status         : Successful
RequestId      : 9ca273de2c4d01e986480ce1ffa4d6d9
StatusCode     : OK

Azure CLIAzure CLI

若要重置网关,请使用 az network vnet-gateway reset 命令。To reset the gateway, use the az network vnet-gateway reset command. 以下示例将重置 TestRG5 资源组中名为 VNet5GW 的虚拟网络网关:The following example resets a virtual network gateway named VNet5GW in the TestRG5 resource group:

az network vnet-gateway reset -n VNet5GW -g TestRG5

结果:Result:

收到返回结果时,可假定网关重置成功。When you receive a return result, you can assume the gateway reset was successful. 但返回结果没有明确指出重置成功。However, there is nothing in the return result that indicates explicitly that the reset was successful. 如要仔细查看历史记录,确定网关重置发生的确切时间,可在 Azure 门户中查看该信息。If you want to look closely at the history to see exactly when the gateway reset occurred, you can view that information in the Azure portal. 在门户中,导航到“GatewayName”->“资源运行状况”。In the portal, navigate to 'GatewayName' -> Resource Health.