故障排除:Azure 站点到站点 VPN 连接无法建立连接并停止工作Troubleshooting: An Azure site-to-site VPN connection cannot connect and stops working

在本地网络与 Azure 虚拟网络之间配置站点到站点 VPN 连接后,VPN 连接突然停止工作,不能重新建立连接。After you configure a site-to-site VPN connection between an on-premises network and an Azure virtual network, the VPN connection suddenly stops working and cannot be reconnected. 本文提供解决此问题的故障排除步骤。This article provides troubleshooting steps to help you resolve this problem.

如果本文未解决你的 Azure 问题,请访问 MSDN 和 CSDN 上的 Azure 论坛。If your Azure issue is not addressed in this article, visit the Azure forums on MSDN and CSDN. 可以在这些论坛上发布问题。You can post your issue in these forums. 还可提交 Azure 支持请求。You also can submit an Azure support request. 若要提交支持请求,请在 Azure 支持页上提交。To submit a support request, on the Azure support page.

疑难解答步骤Troubleshooting steps

若要解决该问题,请先尝试重置 Azure VPN 网关并重置从本地 VPN 设备建立的隧道。To resolve the problem, first try to reset the Azure VPN gateway and reset the tunnel from the on-premises VPN device. 如果问题仍然存在,请遵循以下步骤确定问题的原因。If the problem persists, follow these steps to identify the cause of the problem.

先决条件步骤Prerequisite step

检查 Azure VPN 网关的类型。Check the type of the Azure VPN gateway.

  1. 转到 Azure 门户Go to the Azure portal.

  2. 有关类型信息,请查看 VPN 网关的“概述”页。 Check the Overview page of the VPN gateway for the type information.

    网关概述

步骤 1。Step 1. 检查是否已验证本地 VPN 设备Check whether the on-premises VPN device is validated

  1. 检查是否使用的是已验证的 VPN 设备和操作系统版本Check whether you are using a validated VPN device and operating system version. 如果设备是未经验证的 VPN 设备,你可能需要与设备制造商联系,了解是否存在兼容性问题。If the device is not a validated VPN device, you might have to contact the device manufacturer to see if there is a compatibility issue.

  2. 确保已正确配置 VPN 设备。Make sure that the VPN device is correctly configured. 有关详细信息,请参阅编辑设备配置示例For more information, see Edit device configuration samples.

步骤 2.Step 2. 验证共享密钥Verify the shared key

比较本地 VPN 设备和 Azure 虚拟网络 VPN 中的共享密钥,确保密钥匹配。Compare the shared key for the on-premises VPN device to the Azure Virtual Network VPN to make sure that the keys match.

若要查看 Azure VPN 连接的共享密钥,请使用以下方法之一:To view the shared key for the Azure VPN connection, use one of the following methods:

Azure 门户Azure portal

  1. 转到创建的 VPN 网关站点到站点连接。Go to the VPN gateway site-to-site connection that you created.

  2. 在“设置”部分中,单击“共享密钥”。 In the Settings section, click Shared key.

    共享密钥

Azure PowerShellAzure PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

对于 Azure 资源管理器部署模型:For the Azure Resource Manager deployment model:

Get-AzVirtualNetworkGatewayConnectionSharedKey -Name <Connection name> -ResourceGroupName <Resource group name>

对于经典部署模型:For the classic deployment model:

Get-AzureVNetGatewayKey -VNetName -LocalNetworkSiteName

步骤 3.Step 3. 验证 VPN 对等 IPVerify the VPN peer IPs

  • Azure 的“本地网络网关”对象中的 IP 定义应与本地设备的 IP 相匹配。 The IP definition in the Local Network Gateway object in Azure should match the on-premises device IP.
  • 在本地设备中设置的 Azure 网关 IP 定义应与 Azure 网关 IP 匹配。The Azure gateway IP definition that is set on the on-premises device should match the Azure gateway IP.

步骤 4.Step 4. 检查网关子网上的 UDR 和 NSGCheck UDR and NSGs on the gateway subnet

检查并删除网关子网中的用户定义的路由 (UDR) 或网络安全组 (NSG),然后测试结果。Check for and remove user-defined routing (UDR) or Network Security Groups (NSGs) on the gateway subnet, and then test the result. 如果问题得到解决,请验证 NSG 或 UDR 应用的设置。If the problem is resolved, validate the settings that UDR or NSG applied.

步骤 5。Step 5. 检查本地 VPN 设备的外部接口地址Check the on-premises VPN device external interface address

  • 如果 VPN 设备面向 Internet 的 IP 地址包含在 Azure 的“本地网络”定义中,可能会出现偶发的断开连接。 If the Internet-facing IP address of the VPN device is included in the Local network definition in Azure, you might experience sporadic disconnections.
  • 设备的外部接口必须直接在 Internet 上。The device's external interface must be directly on the Internet. 在 Internet 和设备之间应该没有网络地址转换或防火墙。There should be no network address translation or firewall between the Internet and the device.
  • 若要将防火墙群集配置为具有虚拟 IP,必须中断群集并直接向可以与网关连接的公共接口公开 VPN 设备。To configure firewall clustering to have a virtual IP, you must break the cluster and expose the VPN appliance directly to a public interface that the gateway can interface with.

步骤 6.Step 6. 验证子网是否完全匹配(基于 Azure Policy 的网关)Verify that the subnets match exactly (Azure policy-based gateways)

  • 验证虚拟网络地址空间与 Azure 虚拟网络和本地定义之间的子网是否完全匹配。Verify that the virtual network address space(s) match exactly between the Azure virtual network and on-premises definitions.
  • 验证“本地网络网关”与本地网络本地定义之间的子网是否完全匹配。 Verify that the subnets match exactly between the Local Network Gateway and on-premises definitions for the on-premises network.

步骤 7.Step 7. 验证 Azure 网关的运行状况探测Verify the Azure gateway health probe

  1. 通过浏览到以下 URL 打开运行状况探测:Open health probe by browsing to the following URL:

    https://<YourVirtualNetworkGatewayIP>:8081/healthprobe

  2. 单击证书警告。Click through the certificate warning.

  3. 如果收到响应,则可认为 VPN 网关正常。If you receive a response, the VPN gateway is considered healthy. 如果未收到响应,则可能表示网关不正常,或者网关子网上的某个 NSG 导致出现问题。If you don't receive a response, the gateway might not be healthy or an NSG on the gateway subnet is causing the problem. 以下文本是示例响应:The following text is a sample response:

    <?xml version="1.0"?>
    <string xmlns="http://schemas.microsoft.com/2003/10/Serialization/">Primary Instance: GatewayTenantWorker_IN_1 GatewayTenantVersion: 14.7.24.6</string>
    

步骤 8。Step 8. 检查本地 VPN 设备是否已启用完全向前保密功能Check whether the on-premises VPN device has the perfect forward secrecy feature enabled

完全向前保密功能可能会导致断开连接问题。The perfect forward secrecy feature can cause disconnection problems. 如果 VPN 设备已启用完全向前保密,请禁用该功能。If the VPN device has perfect forward secrecy enabled, disable the feature. 然后更新 VPN 网关的 IPsec 策略。Then update the VPN gateway IPsec policy.

后续步骤Next steps