Diagnose a communication problem between networks
In this we will learn about how to diagnose a problem with a virtual network gateway with Network Watcher’s VPN diagnostics capability and diagnose a problem with a gateway connection.
Prerequisites
For using VPN diagnostics, you must have an existing, running VPN gateway. If you don’t have an existing VPN gateway to diagnose, you can deploy one using a PowerShell script. However, you can run the PowerShell script from:
- Firstly, a local PowerShell installation: The script requires the Azure PowerShell Az module. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell.
- Secondly, the Azure Cloud Shell: The Azure Cloud Shell has the latest version of PowerShell installed and configured, and logs you into Azure.
Enable Network Watcher
If you already have a network watcher enabled in the East US region, skip to Diagnose a gateway.
- Firstly, in the portal, select All services. In the Filter box, enter Network Watcher. And, when Network Watcher appears in the results, select it.
- Secondly, select Regions, to expand it, and then select … to the right of East US, as shown in the following picture:
- Lastly, select Enable Network Watcher.
Diagnose a gateway
- Firstly, on the left side of the portal, select All services.
- Then, start typing network watcher in the Filter box. And, when Network Watcher appears in the search results, select it.
- Thirdly, under NETWORK DIAGNOSTIC TOOLS, select VPN Diagnostics.
- After that, select Storage account, and then select the storage account you want to write diagnostic information to.
- Next, from the list of Storage accounts, select the storage account you want to use. If you don’t have an existing storage account, select + Storage account, enter, or select the required information, and then select Create, to create one. However, if you created a VPN gateway using the script in prerequisites, you may want to create the storage account in the same resource group, TestRG1, as the gateway.
- From the list of Containers, select the container you want to use, and then select Select. If you don’t have any containers, select + Container, enter a name for the container, then select OK.
- Then, select a gateway, and then select Start troubleshooting. As shown in the following picture, the test is run against a gateway named Vnet1GW:
- While the test is running, Running appears in the TROUBLESHOOTING STATUS column where Not started is shown, in the previous picture. The test may take several minutes to run.
- View the status of a completed test. The following picture shows the status results of a completed diagnostic test:
- Lastly, when you select the Action tab, VPN diagnostics provides additional information. In the example, shown in the following picture, VPN diagnostics lets you know that you should check the health of each connection.
Diagnose a gateway connection
A gateway is connected to other networks via a gateway connection. Both the gateway and gateway connections must be healthy for successful communication between a virtual network and a connected network.
- Firstly, complete step 7 of Diagnose a gateway again, this time, selecting a connection.
- After the test of the connection is complete, you receive results similar to the results shown in the following pictures on the Status and Action tabs:
However, VPN diagnostics informs you what is wrong on the Status tab, and gives you several suggestions for what may be causing the problem on the Action tab. And, if the gateway you tested was the one deployed by the script in Prerequisites, then the problem on the Status tab, and the first two items on the Actions tab are exactly what the problem is. The script configures a placeholder IP address, 23.99.221.164, for the on-premises VPN gateway device.
Reference: Microsoft Documentation