Tutorial: Diagnose a communication problem between networks using the Azure portal
A virtual network gateway connects an Azure virtual network to an on-premises, or other virtual network. In this tutorial, you learn how to:
- Diagnose a problem with a virtual network gateway with Network Watcher's VPN diagnostics capability
- Diagnose a problem with a gateway connection
- Resolve a problem with a gateway
If you don't have an Azure subscription, create a free account before you begin.
This article uses the Azure Az PowerShell module, which is the recommended PowerShell module for interacting with Azure. To get started with the Az PowerShell module, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
To use VPN diagnostics, you must have an existing, running VPN gateway. If you don't have an existing VPN gateway to diagnose, you can deploy one using a PowerShell script. You can run the PowerShell script from:
- A local PowerShell installation: The script requires the Azure PowerShell
Get-Module -ListAvailable Azto find the installed version. If you need to upgrade, see Install Azure PowerShell. If you are running PowerShell locally, you also need to run
Connect-AzAccountto create a connection with Azure.
- The Azure Cloud Shell: The Azure Cloud Shell has the latest version of PowerShell installed and configured, and logs you into Azure.
The script takes approximately an hour to create a VPN gateway. The remaining steps assume that the gateway you're diagnosing is the one deployed by this script. If you diagnose your own existing gateway instead, your results will vary.
Sign in to Azure
Sign in to the Azure portal.
Enable Network Watcher
If you already have a network watcher enabled in the East US region, skip to Diagnose a gateway.
In the portal, select All services. In the Filter box, enter Network Watcher. When Network Watcher appears in the results, select it.
Select Regions, to expand it, and then select ... to the right of East US, as shown in the following picture:
Select Enable Network Watcher.
Diagnose a gateway
On the left side of the portal, select All services.
Start typing network watcher in the Filter box. When Network Watcher appears in the search results, select it.
Under NETWORK DIAGNOSTIC TOOLS, select VPN Diagnostics.
Select Storage account, and then select the storage account you want to write diagnostic information to.
From the list of Storage accounts, select the storage account you want to use. If you don't have an existing storage account, select + Storage account, enter, or select the required information, and then select Create, to create one. If you created a VPN gateway using the script in prerequisites, you may want to create the storage account in the same resource group, TestRG1, as the gateway.
From the list of Containers, select the container you want to use, and then select Select. If you don't have any containers, select + Container, enter a name for the container, then select OK.
Select a gateway, and then select Start troubleshooting. As shown in the following picture, the test is run against a gateway named Vnet1GW:
While the test is running, Running appears in the TROUBLESHOOTING STATUS column where Not started is shown, in the previous picture. The test may take several minutes to run.
View the status of a completed test. The following picture shows the status results of a completed diagnostic test:
You can see that the TROUBLESHOOTING STATUS is Unhealthy, as well as a Summary and Detail of the problem on the Status tab.
When you select the Action tab, VPN diagnostics provides additional information. In the example, shown in the following picture, VPN diagnostics lets you know that you should check the health of each connection:
Diagnose a gateway connection
A gateway is connected to other networks via a gateway connection. Both the gateway and gateway connections must be healthy for successful communication between a virtual network and a connected network.
Complete step 7 of Diagnose a gateway again, this time, selecting a connection. In the following example, a connection named VNet1toSite1 is tested:
The test runs for several minutes.
After the test of the connection is complete, you receive results similar to the results shown in the following pictures on the Status and Action tabs:
VPN diagnostics informs you what is wrong on the Status tab, and gives you several suggestions for what may be causing the problem on the Action tab.
If the gateway you tested was the one deployed by the script in Prerequisites, then the problem on the Status tab, and the first two items on the Actions tab are exactly what the problem is. The script configures a placeholder IP address, 126.96.36.199, for the on-premises VPN gateway device.
To resolve the issue, you need to ensure that your on-premises VPN gateway is configured properly, and change the IP address configured by the script for the local network gateway, to the actual public address of your on-premises VPN gateway.
Clean up resources
If you created a VPN gateway using the script in the prerequisites solely to complete this tutorial, and no longer need it, delete the resource group and all of the resources it contains:
- Enter TestRG1 in the Search box at the top of the portal. When you see TestRG1 in the search results, select it.
- Select Delete resource group.
- Enter TestRG1 for TYPE THE RESOURCE GROUP NAME: and select Delete.
In this tutorial, you learned how to diagnose a problem with a virtual network gateway. You may want to log network communication to and from a VM so that you can review the log for anomalies. To learn how, advance to the next tutorial.