Azure 網路監看員中的資源疑難排解簡介Introduction to resource troubleshooting in Azure Network Watcher

虛擬網路閘道可提供 Azure 中內部部署資源與其他虛擬網路之間的連線。Virtual Network Gateways provide connectivity between on-premises resources and other virtual networks within Azure. 監視閘道器及其連線,對於確保通訊不中斷至關重要。Monitoring gateways and their connections are critical to ensuring communication is not broken. 網路監看員可提供針對閘道和連線進行疑難排解的功能。Network Watcher provides the capability to troubleshoot gateways and connections. 此功能可透過入口網站、PowerShell、Azure CLI 或 REST API 呼叫。The capability can be called through the portal, PowerShell, Azure CLI, or REST API. 一經呼叫,網路監看員就會診斷閘道或連線的健康情況,並傳回相關結果。When called, Network Watcher diagnoses the health of the gateway, or connection, and returns the appropriate results. 此要求是長時間執行的交易。The request is a long running transaction. 完成診斷之後,會傳回結果。The results are returned once the diagnosis is complete.

入口網站

結果Results

傳回的初步結果會提供資源的整體健康情況。The preliminary results returned give an overall picture of the health of the resource. 可以針對資源提供如下一節所示的更深入資訊︰Deeper information can be provided for resources as shown in the following section:

下列清單是透過疑難排解 API 傳回的值︰The following list is the values returned with the troubleshoot API:

  • startTime - 此值是疑難排解 API 呼叫的開始時間。startTime - This value is the time the troubleshoot API call started.
  • endTime - 此值是疑難排解結束時的時間。endTime - This value is the time when the troubleshooting ended.
  • code - 如果有單一診斷失敗,此值為 UnHealthy。code - This value is UnHealthy, if there is a single diagnosis failure.
  • results - 結果是在連線或虛擬網路閘道上傳回的結果集合。results - Results is a collection of results returned on the Connection or the virtual network gateway.
    • id - 此值是錯誤類型。id - This value is the fault type.
    • summary - 此值是錯誤摘要。summary - This value is a summary of the fault.
    • detailed - 此值提供錯誤的詳細說明。detailed - This value provides a detailed description of the fault.
    • recommendedActions - 此屬性是建議採取的動作集合。recommendedActions - This property is a collection of recommended actions to take.
      • actionText - 此值包含用於描述所要採取之動作的文字。actionText - This value contains the text describing what action to take.
      • actionUri - 此值提供如何採取行動的文件URI。actionUri - This value provides the URI to documentation on how to act.
      • actionUriText - 此值是動作文字的簡短說明。actionUriText - This value is a short description of the action text.

下表顯示可用的不同錯誤類型 (上述清單中 results 底下的 id) 以及該錯誤是否會建立記錄。The following tables show the different fault types (id under results from the preceding list) that are available and if the fault creates logs.

閘道器Gateway

錯誤類型Fault Type 原因Reason 記錄檔Log
NoFaultNoFault 未偵測到任何錯誤時When no error is detected Yes
GatewayNotFoundGatewayNotFound 找不到閘道或閘道尚未佈建Cannot find gateway or gateway is not provisioned No
PlannedMaintenancePlannedMaintenance 閘道執行個體正在進行維護Gateway instance is under maintenance No
UserDrivenUpdateUserDrivenUpdate 當正在更新使用者時,會發生此錯誤。This fault occurs when a user update is in progress. 此更新可能是調整大小作業。The update could be a resize operation. No
VipUnResponsiveVipUnResponsive 由於健康情況探查失敗而無法連線到閘道的主要執行個體時,會發生此錯誤。This fault occurs when the primary instance of the gateway can't be reached due to a health probe failure. No
PlatformInActivePlatformInActive 平台發生問題。There is an issue with the platform. No
ServiceNotRunningServiceNotRunning 基礎服務並未執行。The underlying service is not running. No
NoConnectionsFoundForGatewayNoConnectionsFoundForGateway 閘道上沒有任何連線存在。No connections exist on the gateway. 此錯誤只是警告。This fault is only a warning. No
ConnectionsNotConnectedConnectionsNotConnected 未建立連線。Connections are not connected. 此錯誤只是警告。This fault is only a warning. Yes
GatewayCPUUsageExceededGatewayCPUUsageExceeded 目前的閘道 CPU 使用量 > 95%。The current gateway CPU usage is > 95%. Yes

連線Connection

錯誤類型Fault Type 原因Reason 記錄檔Log
NoFaultNoFault 未偵測到任何錯誤時When no error is detected Yes
GatewayNotFoundGatewayNotFound 找不到閘道或閘道尚未佈建Cannot find gateway or gateway is not provisioned No
PlannedMaintenancePlannedMaintenance 閘道執行個體正在進行維護Gateway instance is under maintenance No
UserDrivenUpdateUserDrivenUpdate 當正在更新使用者時,會發生此錯誤。This fault occurs when a user update is in progress. 此更新可能是調整大小作業。The update could be a resize operation. No
VipUnResponsiveVipUnResponsive 由於健康情況探查失敗而無法連線到閘道的主要執行個體時,會發生此錯誤。This fault occurs when the primary instance of the gateway can't be reached due to a health probe failure. No
ConnectionEntityNotFoundConnectionEntityNotFound 缺少連線組態Connection configuration is missing No
ConnectionIsMarkedDisconnectedConnectionIsMarkedDisconnected 連線標記為「已中斷連線」The connection is marked "disconnected" No
ConnectionNotConfiguredOnGatewayConnectionNotConfiguredOnGateway 基礎服務未設定連線。The underlying service does not have the connection configured. Yes
ConnectionMarkedStandbyConnectionMarkedStandby 基礎服務標記為「待命」。The underlying service is marked as standby. Yes
AuthenticationAuthentication 預先共用的金鑰不相符Preshared key mismatch Yes
PeerReachabilityPeerReachability 無法連線到對等閘道。The peer gateway is not reachable. Yes
IkePolicyMismatchIkePolicyMismatch 對等閘道的 IKE 原則不受 Azure 支援。The peer gateway has IKE policies that are not supported by Azure. Yes
WfpParse ErrorWfpParse Error 剖析 WFP 記錄時發生錯誤。An error occurred parsing the WFP log. Yes

支援的閘道類型Supported Gateway types

下表列出網路監看員疑難排解所支援的閘道和連線:The following table lists which gateways and connections are supported with Network Watcher troubleshooting:

閘道類型Gateway types
VPNVPN 支援Supported
ExpressRouteExpressRoute 不支援Not Supported
VPN 類型VPN types
路由式Route Based 支援Supported
原則式Policy Based 不支援Not Supported
連線類型Connection types
IPsecIPSec 支援Supported
VNet2VnetVNet2Vnet 支援Supported
ExpressRouteExpressRoute 不支援Not Supported
VPNClientVPNClient 不支援Not Supported

記錄檔Log files

在資源疑難排解完成之後,資源疑難排解記錄檔會儲存在儲存體帳戶中。The resource troubleshooting log files are stored in a storage account after resource troubleshooting is finished. 下圖顯示造成錯誤的呼叫內容範例。The following image shows the example contents of a call that resulted in an error.

zip 檔案

注意

在某些情況下,只有部分的記錄會寫入至儲存體。In some cases, only a subset of the logs files is written to storage.

如需從 Azure 儲存體帳戶下載檔案的指示,請參閱以 .NET 開始使用 Azure Blob 儲存體For instructions on downloading files from azure storage accounts, refer to Get started with Azure Blob storage using .NET. 另一項可用工具為儲存體總管。Another tool that can be used is Storage Explorer. 如需有關「儲存體總管」的詳細資訊,請參閱下列連結:儲存體總管More information about Storage Explorer can be found here at the following link: Storage Explorer

ConnectionStats.txtConnectionStats.txt

ConnectionStats.txt 檔案包含連線的整體統計資料,包括輸入和輸出位元組、連線狀態,以及連線的建立時間。The ConnectionStats.txt file contains overall stats of the Connection, including ingress and egress bytes, Connection status, and the time the Connection was established.

注意

如果疑難排解 API 的呼叫傳回狀況良好,則 zip 檔案中傳回的唯一項目是 ConnectionStats.txt 檔案。If the call to the troubleshooting API returns healthy, the only thing returned in the zip file is a ConnectionStats.txt file.

此檔案的內容類似於下列範例:The contents of this file are similar to the following example:

Connectivity State : Connected
Remote Tunnel Endpoint :
Ingress Bytes (since last connected) : 288 B
Egress Bytes (Since last connected) : 288 B
Connected Since : 2/1/2017 8:22:06 PM

CPUStats.txtCPUStats.txt

CPUStats.txt 檔案包含測試階段可用的 CPU 使用量與記憶體。The CPUStats.txt file contains CPU usage and memory available at the time of testing. 此檔案的內容類似於下列範例:The contents of this file is similar to the following example:

Current CPU Usage : 0 % Current Memory Available : 641 MBs

IKEErrors.txtIKEErrors.txt

IKEErrors.txt 檔案包含在監視期間找到的任何 IKE 錯誤。The IKEErrors.txt file contains any IKE errors that were found during monitoring.

下列範例顯示 IKEErrors.txt 檔案的內容。The following example shows the contents of an IKEErrors.txt file. 您的錯誤可能因問題而有所不同。Your errors may be different depending on the issue.

Error: Authentication failed. Check shared key. Check crypto. Check lifetimes. 
     based on log : Peer failed with Windows error 13801(ERROR_IPSEC_IKE_AUTH_FAIL)
Error: On-prem device sent invalid payload. 
     based on log : IkeFindPayloadInPacket failed with Windows error 13843(ERROR_IPSEC_IKE_INVALID_PAYLOAD)

Scrubbed-wfpdiag.txtScrubbed-wfpdiag.txt

Scrubbed-wfpdiag.txt 記錄檔包含 wfp 記錄。The Scrubbed-wfpdiag.txt log file contains the wfp log. 此記錄包含套件置放和 IKE/AuthIP 失敗的記錄。This log contains logging of packet drop and IKE/AuthIP failures.

下列範例顯示 Scrubbed-wfpdiag.txt 檔案的內容。The following example shows the contents of the Scrubbed-wfpdiag.txt file. 在此範例中,連線的共用金鑰不正確 (可以從底部算起的第三行看出來)。In this example, the shared key of a Connection was not correct as can be seen from the third line from the bottom. 下列範例是只是整個記錄的某個片段,因為視問題而定,記錄可能很冗長。The following example is just a snippet of the entire log, as the log can be lengthy depending on the issue.

...
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|Deleted ICookie from the high priority thread pool list
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|IKE diagnostic event:
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|Event Header:
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|  Timestamp: 1601-01-01T00:00:00.000Z
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|  Flags: 0x00000106
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|    Local address field set
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|    Remote address field set
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|    IP version field set
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|  IP version: IPv4
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|  IP protocol: 0
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|  Local address: 13.78.238.92
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|  Remote address: 52.161.24.36
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|  Local Port: 0
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|  Remote Port: 0
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|  Application ID:
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|  User SID: <invalid>
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|Failure type: IKE/Authip Main Mode Failure
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|Type specific info:
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|  Failure error code:0x000035e9
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|    IKE authentication credentials are unacceptable
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|
[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|  Failure point: Remote
...

wfpdiag.txt.sumwfpdiag.txt.sum

wfpdiag.txt.sum 檔案是顯示已處理緩衝區和事件的記錄。The wfpdiag.txt.sum file is a log showing the buffers and events processed.

下列範例是 wfpdiag.txt.sum 檔案的內容。The following example is the contents of a wfpdiag.txt.sum file.

Files Processed:
    C:\Resources\directory\924336c47dd045d5a246c349b8ae57f2.GatewayTenantWorker.DiagnosticsStorage\2017-02-02T17-34-23\wfpdiag.etl
Total Buffers Processed 8
Total Events  Processed 2169
Total Events  Lost      0
Total Format  Errors    0
Total Formats Unknown   486
Elapsed Time            330 sec
+-----------------------------------------------------------------------------------+
|EventCount    EventName            EventType   TMF                                 |
+-----------------------------------------------------------------------------------+
|        36    ikeext               ike_addr_utils_c844  a0c064ca-d954-350a-8b2f-1a7464eef8b6|
|        12    ikeext               ike_addr_utils_c857  a0c064ca-d954-350a-8b2f-1a7464eef8b6|
|        96    ikeext               ike_addr_utils_c832  a0c064ca-d954-350a-8b2f-1a7464eef8b6|
|         6    ikeext               ike_bfe_callbacks_c133  1dc2d67f-8381-6303-e314-6c1452eeb529|
|         6    ikeext               ike_bfe_callbacks_c61  1dc2d67f-8381-6303-e314-6c1452eeb529|
|        12    ikeext               ike_sa_management_c5698  7857a320-42ee-6e90-d5d9-3f414e3ea2d3|
|         6    ikeext               ike_sa_management_c8447  7857a320-42ee-6e90-d5d9-3f414e3ea2d3|
|        12    ikeext               ike_sa_management_c494  7857a320-42ee-6e90-d5d9-3f414e3ea2d3|
|        12    ikeext               ike_sa_management_c642  7857a320-42ee-6e90-d5d9-3f414e3ea2d3|
|         6    ikeext               ike_sa_management_c3162  7857a320-42ee-6e90-d5d9-3f414e3ea2d3|
|        12    ikeext               ike_sa_management_c3307  7857a320-42ee-6e90-d5d9-3f414e3ea2d3|

後續步驟Next steps

若要了解如何診斷閘道或閘道連線的問題,請參閱診斷網路間的通訊問題To learn how to diagnose a problem with a gateway or gateway connection, see Diagnose communication problems between networks.