排查站点到站点 VPN 连接问题Troubleshoot site-to-site VPN connections

本文介绍了在本地网络和 Azure Stack Hub 虚拟网络之间配置站点到站点 (S2S) VPN 连接后,如果该连接突然停止工作且无法重新连接,你可以采取哪些故障排除步骤。This article describes troubleshooting steps you can take after you configure a site-to-site (S2S) VPN connection between an on-premises network and an Azure Stack Hub virtual network, and the connection suddenly stops working and cannot be reconnected.

如果本文未解决你的 Azure Stack Hub 问题,可以访问 Azure Stack Hub MSDN 论坛If your Azure Stack Hub issue is not addressed in this article, you can visit the Azure Stack Hub MSDN forum.

还可提交 Azure 支持请求。You also can submit an Azure support request. 请参阅 Azure Stack Hub 支持Please see Azure Stack Hub support.

备注

在两个 Azure Stack Hub 部署之间只能创建一个站点到站点 VPN 连接。Only one site-to-site VPN connection can be created between two Azure Stack Hub deployments. 这是因为平台中的某个限制仅允许同一 IP 地址具有单个 VPN 连接。This is due to a limitation in the platform that only allows a single VPN connection to the same IP address. 由于 Azure Stack Hub 利用多租户网关,该网关将单一公共 IP 用于 Azure Stack Hub 系统中的所有 VPN 网关,因此两个 Azure Stack Hub 系统之间只能有一个 VPN 连接。Because Azure Stack Hub leverages the multi-tenant gateway, which uses a single public IP for all VPN gateways in the Azure Stack Hub system, there can be only one VPN connection between two Azure Stack Hub systems. 此限制也适用于将多个站点到站点 VPN 连接连接到使用单一 IP 地址的任何 VPN 网关。This limitation also applies to connecting more than one site-to-site VPN connection to any VPN gateway that uses a single IP address. Azure Stack Hub 不允许使用同一 IP 地址创建多个本地网络网关资源。Azure Stack Hub does not allow more than one local network gateway resource to be created using the same IP address.

初始故障排除步骤Initial troubleshooting steps

IPsec/IKEV2 的 Azure Stack Hub 默认参数已更改(从内部版本 1910 开始)。有关内部版本的详细信息,请与 Azure Stack Hub 操作员联系。The Azure Stack Hub default parameters for IPsec/IKEV2 have changed starting with the 1910 build Please contact your Azure Stack Hub operator for more information on the build version.

重要

使用 S2S 隧道时,数据包将与其他标头一起进一步封装。When using an S2S tunnel, packets are further encapsulated with additional headers. 此封装会增加数据包的总大小。This encapsulation increases the overall size of the packet. 在这些情况下,必须将 TCP MSS 固定在 1350In these scenarios, you must clamp TCP MSS at 1350. 如果 VPN 设备不支持 MSS 钳位,则可以改为在隧道接口上将 MTU 设置为 1400 字节。If your VPN devices do not support MSS clamping, you can set the MTU on the tunnel interface to 1400 bytes instead. 有关详细信息,请参阅虚拟网络 TCPIP 性能优化For more information, see Virutal Network TCPIP performance tuning.

  • 确认 VPN 配置为基于路由 (IKEv2)。Confirm that the VPN configuration is route-based (IKEv2). Azure Stack Hub 不支持基于策略的 (IKEv1) 配置。Azure Stack Hub does not support policy-based (IKEv1) configurations.

  • 检查是否使用的是已验证的 VPN 设备和操作系统版本Check whether you are using a validated VPN device and operating system version. 如果设备是未经验证的 VPN 设备,可能需要与设备制造商联系,了解是否存在兼容性问题。If the device is not a validated VPN device, you might have to contact the device manufacturer to see if there is a compatibility issue.

  • 验证 Azure Stack Hub 虚拟网络与本地网络之间是否没有重叠的 IP 范围。Verify that there are no overlapping IP ranges between Azure Stack Hub virtual network and on-premises network. 这可能会导致连接问题。This can cause connectivity issues.

  • 验证 VPN 对等 IP:Verify the VPN peer IPs:

    • Azure Stack Hub 的“本地网关”对象中的 IP 定义应与本地设备 IP 匹配。The IP definition in the Local Network Gateway object in Azure Stack Hub should match the on-premises device IP.

    • 在本地设备中设置的 Azure Stack Hub 网关 IP 定义应与 Azure Stack Hub 网关 IP 匹配。The Azure Stack Hub gateway IP definition that is set on the on-premises device should match the Azure Stack Hub gateway IP.

“未连接”状态 - 间歇性断开连接Status "Not Connected" - intermittent disconnects

  • 比较本地 VPN 设备与 AzSH 虚拟网络 VPN 的共享密钥,确保密钥匹配。Compare the shared key for the on-premises VPN device to the AzSH virtual network VPN to make sure that the keys match. 若要查看 AzSH VPN 连接的共享密钥,请使用以下方法之一:To view the shared key for the AzSH VPN connection, use one of the following methods:

    • Azure Stack Hub 租户门户:转到创建的 VPN 网关站点到站点连接。Azure Stack Hub tenant portal: Go to the VPN gateway site-to-site connection that you created. 在“设置”部分中,选择“共享密钥”。In the Settings section, select Shared key.

      VPN 连接

    • Azure PowerShell:使用以下 PowerShell 命令:Azure PowerShell: Use the following PowerShell command:

Get-AzVirtualNetworkGatewayConnectionSharedKey -Name <Connection name> -ResourceGroupName <Resource group>

状态 "已连接"-流量未流动Status "Connected" - traffic not flowing

  • 检查并删除网关子网中的用户定义的路由 (UDR) 和网络安全组 (NSG),然后测试结果。Check for, and remove the user-defined routing (UDR) and network security groups (NSGs) on the gateway subnet, and then test the result. 如果问题得到解决,请验证 NSG 或 UDR 应用的设置。If the problem is resolved, validate the settings that UDR or NSG applied.

    网关子网上用户定义的路由可能会限制某些流量,并允许其他流量。A user-defined route on the gateway subnet may be restricting some traffic and allowing other traffic. 这使得 VPN 连接看起来对于某些流量不可靠,而对于其他流量很可靠。This makes it appear that the VPN connection is unreliable for some traffic, and good for others.

  • 检查本地 VPN 设备的外部接口地址。Check the on-premises VPN device external interface address.

    • 如果 VPN 设备面向 Internet 的 IP 地址包含在 Azure Stack Hub 的“本地网络”定义中,可能会出现偶发的断开连接现象。If the internet-facing IP address of the VPN device is included in the Local network definition in Azure Stack Hub, you might experience sporadic disconnections.

    • 设备的外部接口必须直接位于 Internet 上。The device's external interface must be directly on the internet. 在 Internet 和设备之间应该没有网络地址转换或防火墙。There should be no network address translation or firewall between the internet and the device.

    • 若要将防火墙群集配置为具有虚拟 IP,必须断开群集并直接向可以通过网关与之连接的公共接口公开 VPN 设备。To configure firewall clustering to have a virtual IP, you must break the cluster and expose the VPN appliance directly to a public interface with which the gateway can interface.

  • 验证子网是否完全匹配。Verify that the subnets match exactly.

    • 验证 Azure Stack Hub 虚拟网络和本地定义之间的虚拟网络地址空间是否完全匹配。Verify that the virtual network address space(s) match exactly between the Azure Stack Hub virtual network and on-premises definitions.

    • 验证“本地网络网关”与本地网络本地定义之间的子网是否完全匹配。Verify that the subnets match exactly between the Local Network Gateway and on-premises definitions for the on-premises network.

创建支持票证Create a support ticket

如果前面的步骤都无法解决你的问题,请创建支持票证并使用按需日志收集工具来提供日志。If none of the preceding steps resolve your issue, please create a support ticket and use the on demand log collection tool to provide logs.