故障排除:Azure 站点到站点 VPN 间歇性地断开连接Troubleshooting: Azure Site-to-Site VPN disconnects intermittently

我们可能会遇到新的或现有的 Azure 站点到站点 VPN 连接不稳定或定期断开连接的问题。You might experience the problem that a new or existing Azure Site-to-Site VPN connection is not stable or disconnects regularly. 本文提供了故障排除步骤,以帮助你确定并解决问题的原因。This article provides troubleshoot steps to help you identify and resolve the cause of the problem.

如果本文未解决你的 Azure 问题,请访问 MSDN 和 CSDN 上的 Azure 论坛。If your Azure issue is not addressed in this article, visit the Azure forums on MSDN and CSDN. 可以在这些论坛上发布问题。You can post your issue in these forums. 还可提交 Azure 支持请求。You also can submit an Azure support request. 若要提交支持请求,请在 Azure 支持页上提交。To submit a support request, on the Azure support page.

疑难解答步骤Troubleshooting steps

先决条件步骤Prerequisite step

检查 Azure 虚拟网络网关的类型:Check the type of Azure virtual network gateway:

  1. 转到 Azure 门户Go to Azure portal.

  2. 有关类型信息,请查看虚拟网络网关的概述页。Check the Overview page of the virtual network gateway for the type information.

    网关的概述

步骤 1 检查是否已验证本地 VPN 设备Step 1 Check whether the on-premises VPN device is validated

  1. 检查是否使用的是已验证的 VPN 设备和操作系统版本Check whether you are using a validated VPN device and operating system version. 如果未验证 VPN 设备,可能需要与设备制造商联系以了解是否存在任何兼容性问题。If the VPN device is not validated, you may have to contact the device manufacturer to see if there is any compatibility issue.
  2. 确保已正确配置 VPN 设备。Make sure that the VPN device is correctly configured. 有关详细信息,请参阅编辑设备配置示例For more information, see Editing device configuration samples.

步骤 2 检查安全关联设置(适用于基于策略的 Azure 虚拟网络网关)Step 2 Check the Security Association settings(for policy-based Azure virtual network gateways)

  1. 请确保 Azure 的本地网络网关定义中的虚拟网络、子网和范围与本地 VPN 设备上的配置相同。Make sure that the virtual network, subnets and, ranges in the Local network gateway definition in Azure are same as the configuration on the on-premises VPN device.
  2. 验证安全关联设置是否匹配。Verify that the Security Association settings match.

步骤 3 检查网关子网上用户定义的路由或网络安全组Step 3 Check for User-Defined Routes or Network Security Groups on Gateway Subnet

网关子网上用户定义的路由可能会限制某些流量,并允许其他流量。A user-defined route on the gateway subnet may be restricting some traffic and allowing other traffic. 这使得 VPN 连接看起来对于某些流量不可靠,而对于其他流量很可靠。This makes it appear that the VPN connection is unreliable for some traffic and good for others.

步骤 4 检查“每个子网对一个 VPN 隧道”设置(适用于基于策略的虚拟网络网关)Step 4 Check the "one VPN Tunnel per Subnet Pair" setting (for policy-based virtual network gateways)

请确保本地 VPN 设备设置为对基于策略的虚拟网络网关采用每个子网对一个 VPN 隧道Make sure that the on-premises VPN device is set to have one VPN tunnel per subnet pair for policy-based virtual network gateways.

步骤 5 检查安全关联限制(适用于基于策略的虚拟网络网关)Step 5 Check for Security Association Limitation (for policy-based virtual network gateways)

基于策略的虚拟网络网关具有 200 个子网安全关联对的限制。The Policy-based virtual network gateway has limit of 200 subnet Security Association pairs. 如果 Azure 虚拟网络子网数乘以本地子网数大于 200,请参阅“偶发的子网断开连接”。If the number of Azure virtual network subnets multiplied times by the number of local subnets is greater than 200, you see sporadic subnets disconnecting.

步骤 6 检查本地 VPN 设备外部接口地址Step 6 Check on-premises VPN device external interface address

  • 如果 VPN 设备面向 Internet 的 IP 地址包含在 Azure 的本地网络网关定义中,你可能会遇到偶发的断开连接。If the Internet facing IP address of the VPN device is included in the Local network gateway definition in Azure, you may experience sporadic disconnections.
  • 设备的外部接口必须直接在 Internet 上。The device's external interface must be directly on the Internet. 在 Internet 和设备之间应该没有网络地址转换 (NAT) 或防火墙。There should be no Network Address Translation (NAT) or firewall between the Internet and the device.
  • 如果将防火墙群集配置为具有虚拟 IP,则必须中断群集并直接向可以与网关连接的公共接口公开 VPN 设备。If you configure Firewall Clustering to have a virtual IP, you must break the cluster and expose the VPN appliance directly to a public interface that the gateway can interface with.

步骤 7 检查本地 VPN 设备是否已启用“完全向前保密”Step 7 Check whether the on-premises VPN device has Perfect Forward Secrecy enabled

“完全向前保密”功能可能会导致断开连接问题 。The Perfect Forward Secrecy feature can cause the disconnection problems. 如果 VPN 设备已启用“完全向前保密” ,请禁用该功能。If the VPN device has Perfect forward Secrecy enabled, disable the feature. 然后更新虚拟网络网关 IPsec 策略Then update the virtual network gateway IPsec policy.

后续步骤Next steps