VPN between Windows Azure and Checkpoint

February 13, 2013, 9:45 am

≫ Next: Point to Site connectivity - clients ping to VM in Azure Virtual Network always times out

Hi,

I'm having issues establishing a VPN between my Checkpoint (R75.30) and Azure Network.

At the beginning we made the configuration and it aparently was working.

However in more specific tests we could see that the traffic is going down (we ping servers in the azure and sometimes they respond, and sometimes don't).

This behavior occurs randomly, and it affects some hosts of our network, and some hosts works without problems. After a certain time, the problem affects hosts that have working above, and those that aren't working, begin to works.

I hope someone can helps us with this problem.

The configuration is described below:

AZURE

Peer: *.*.*.*

Private Network (Encryption Domain): 10.215.0.0/16

CHECKPOINT

Peer: *.*.*.*

Private Network (Encryption Domain):172.16.0.0/16 y 172.15.0.0/16

Phase 1:

Encryption: AES-128

Integrity: SHA-1

DH: Group 2

Renegotiation: 28800 secs.

Preshared Key: The one generated for Azure.

Phase 2:

Encryption: AES-128

Integrity: SHA-1

DH: Group 2

Renegotiation: 3600 secs.

NO PFS

Thanks in advance.

Grettings.

Alvaro

↧

Point to Site connectivity - clients ping to VM in Azure Virtual Network always times out

December 26, 2013, 1:51 am

≫ Next: Point To Site Connectivity

≪ Previous: VPN between Windows Azure and Checkpoint

Hi team,

I have setup Point to Site connectivity and facing some issues. From a client machine, I am not able to ping the VM in my azure virtual network. Here is the details around my setup... any insights towards resolving this would be greatly appreciated...

1. I was able to create Virtual Network and have clients connected successfully! Check image below:

Network

2. DNS Server is the default one for my virtual network in Azure. Check image above for network landscape for my virtual network...

3. From the client machine I am not able to ping (it always times out) the private IP address of the VM. Expectation is that it should be possible - please correct me if my understanding is wrong. Check image for theipconfig at client end:

Client ipconfig

While giving suggestions, please provide relevant commands and snapshot so I can easily understand as I am new to networking world! :)

Thanks in advance!

Kannan

↧

Point To Site Connectivity

July 10, 2013, 5:42 pm

≫ Next: Transfer Files to Windows Azure Virtual Machine

≪ Previous: Point to Site connectivity - clients ping to VM in Azure Virtual Network always times out

Hi, I setup point to site vpn connectivity on azure, every thing was working fine until yesterday, i can open the vpn client exe and connect it, and ping one of the worker role ip in the network, no issues,

But today, i am still able start the vpn connection with no issues, i see on the azure dashboard, it says one client is connected.

But when i ping one the work role ip, i get one reply, the all others timeout, afterwards every time it times out on the ping request.

This started only today, i tried by creating a new VN, still the same. Do any of you know what could cause this issue?

↧

Transfer Files to Windows Azure Virtual Machine

December 26, 2013, 12:35 pm

≫ Next: Unable to join secondary domain controller to PDC hosted on Azure VM

≪ Previous: Point To Site Connectivity

Hello -

I am trying out the platform. I have set up a Windows Server 2012 virtual machine in Windows Azure and need to transfer some set up files to install SQL Server and other software on the VM.

First, I tried to use remote desktop to transfer files. It was quite slow. I then set up FTP Publishing Service and used FileZilla Client. It was slow too. What is the average speed to transfer files to a mid-size VM located in the same time zone as my workplace? Did I miss anything when configuring VM and setting up FTP Service?

Any advice is highly appreciated.

Thanks,

Chunlei

↧

Unable to join secondary domain controller to PDC hosted on Azure VM

November 30, 2013, 8:13 pm

≫ Next: How do I connect website to a database in a VM?

≪ Previous: Transfer Files to Windows Azure Virtual Machine

We have a cross site VPN to Azure. I have set up a VM in Azure to be a domain controller & DNS. I then added this machine as a DNS in my Azure Network.

Afterwards I joined a local machine to the new domain, it took a very long time, but eventually joined it. (Not sure why, because we have a very fast connection between our office and Azure). Then I attempted to join this server as a secondary domain controller, it failed. It would not get past the screen where it asks for credentials to for the domain. It keeps coming back, (after about 10 minutes), that the credentials supplied is invalid.

I give up at this point, can anyone please help.

Thanks.

↧

How do I connect website to a database in a VM?

December 28, 2013, 1:42 pm

≫ Next: Site to Site Tunnel Issue

≪ Previous: Unable to join secondary domain controller to PDC hosted on Azure VM

I'm creating a new website on Azure and want to connect it to a database which is in a virtual machine on Azure. How do I handle this?

The VM that hosts our SQL Server is in a virtual network on Azure. I'd appreciate some help with this.

Thanks, Sam

↧

Site to Site Tunnel Issue

January 2, 2014, 1:45 pm

≫ Next: Multiple Subnets for Site-to-Site

≪ Previous: How do I connect website to a database in a VM?

I built a site to site tunnel from our ASA to out Azure virtual network. I can connect fine from our network to a server in Azure. I can even ping that server. I can't connect back to our network from that same server. I've check firewalls on servers and tried to RDP back to a server on out internal network and nothing seems to work. So basically only one direction is working.

Any suggestions.

Thanks,

↧

Multiple Subnets for Site-to-Site

January 3, 2014, 8:36 am

≫ Next: Create VPN to Azure without dedicated VPN Hardware device ?

≪ Previous: Site to Site Tunnel Issue

All,

We are currently facing some issues with our Site-to-Site VPN setup between Azure and our site. We have multiple subnets in our on-premise network (like 10.128.0.0/12 and 172.24.0.0/16). This seems to cause problems with the Azure VPN as some of those subnets become unreachable after time. Somehow, the first subnet (a 10.127.0.0/16) in the list is always accessible from both Azure as our premise.

Does anybody have seen/experienced similar issues?

Regards, Gilles

↧

Create VPN to Azure without dedicated VPN Hardware device ?

June 19, 2012, 10:11 pm

≫ Next: Multiple virtual networks from the same site

≪ Previous: Multiple Subnets for Site-to-Site

I've been looking at the VPN to On-Premise options using as per below. Are there any plans to make this possible using something Windows Server RRAS / Gateway so we dont need an expensive hardware solution like the list of supported devices below ? Talking to a small business here there have around 20 seats at an existing site with an existing Windows 2008 Server . Want to evaluate looking at moving some services to cloud / hybrid model. I'm assuming Azure Connect wont help here either ?

http://msdn.microsoft.com/en-us/library/windowsazure/jj156075

cheers

Andy

↧

Multiple virtual networks from the same site

May 31, 2013, 8:25 am

≫ Next: how to route internet traffic through azure point-to-site vpn?

≪ Previous: Create VPN to Azure without dedicated VPN Hardware device ?

We have multiple people at our site testing Azure via separate accounts (MSDN subscriptions). Each are using test machines on the same local subnet. One was able to create a site-to-site virtual network and can access machines across this network in both directions. A second user went through the process of creating a virtual network, and worked with IT to get our VPN device configured for this connection. That tunnel appears to be good from an IT perspective, though this second user cannot access any of their machines across their virtual network. The network configurations of each user was exported and compared, and they are pretty much identical.

Is there a limitation on the number of virtual networks that can be created from a single site? Is there any way for multiple users with different subscriptions to share the same virtual network?

↧

how to route internet traffic through azure point-to-site vpn?

January 4, 2014, 9:05 pm

≫ Next: VPN tunnel timeouts

≪ Previous: Multiple virtual networks from the same site

When I'm connected to the point-to-site VPN, I want all internet traffic routed through the PTS VPN connection. From googling, I'm under the impression that I may need to configure a NAT router on a VM in the azure virtual network. I've tried to do this by creating a CentOS VM and making iptables configurations (and making route table configurations on the VPN client), but I haven't been able to get it to work. It's especially difficult because NAT router configurations are typically with 2 nics, but I'm limited to 1 nic on an azure VM.

Can anyone offer some general suggestions on strategies I might be able to pursue to get my internet traffic to route through my azure virtual network when I'm connected to the point-to-site VPN connection?

↧

VPN tunnel timeouts

January 6, 2014, 12:52 am

≫ Next: Juniper SSG 550 + Azure site-to-site VPN tunnel up, no traffic

≪ Previous: how to route internet traffic through azure point-to-site vpn?

I have a static VPN tunnel from Azure to our internal network via a Juniper SRX240
The tunnel 'hangs' from time to time (ping time-out, RDP sessions not responding, etc).

When the timeout happens, the tunnel continues to show up in Azure as "Connected"
Also the juniper devices shows the tunnel as "up".

Other VPN tunnels are not affected.
Only ping time-outs occur to IP's in Azure.

Azure range: 10.200.0.0/16
Internal ranges: 10.170.0.0/16, 10.180.0.0/16 & 10.190.0.0/16

I've also tried to re-create the entire VPN tunnel from scratch, without success.

Any ideas what can cause this behavior?

Azure VPN Tunnel is configured to use: PayperUsage-WestEurope

↧

Juniper SSG 550 + Azure site-to-site VPN tunnel up, no traffic

January 7, 2014, 9:04 am

≫ Next: Virtual Machine is unnable to join to domain using Powershell cmdlets

≪ Previous: VPN tunnel timeouts

Hi all,

I have configured a Juniper SSG550 and Azure to have site-to-site connectivity via a VPN tunnel.

This was working for the past few weeks, then all of a sudden yesterday, it stopped passing traffic. Nothing has changed my end.

On the juniper I see the tunnel is up:

ln1-fwl01(M)-> get sa
total configured sa: 10

00000014< 137.117.183.x 500 esp:3des/sha1 23d60503 794 unlim A/- -1 0
00000014> 137.117.183.x 500 esp:3des/sha1 5764ac64 794 unlim A/- -1 0

and i've reset the SAs by issuing the command

clear sa 0x14

The tunnel seems to be up on the azure side too.

Not sure what's going on? Any ideas?

↧

Virtual Machine is unnable to join to domain using Powershell cmdlets

June 29, 2012, 2:28 am

≫ Next: Custom Domain Name - 123 reg

≪ Previous: Juniper SSG 550 + Azure site-to-site VPN tunnel up, no traffic

Hi All,

I'm creating a Virtual Machine in IAAS preview environment throught New-AzureVM cmdlet. However I'm unable to join my VM to a domain. I followed the tutorial which shows how to create a active directory forest and how to join VM into the domain at the time of provisioning. Here are the commands I'm executing in the Azure Powershell Command prompt:

$appvm3 = New-AzureVMConfig -Name "<VM_Name>" -InstanceSize Small -ImageName "<VHD_Name>" -MediaLocation "<URL Of VHD>" | Add-AzureProvisioningConfig -Password "password" -WindowsDomain -JoinDomain "abc.xyz.com" -Domain "abc.xyz.com" -DomainUserName "ankit" -DomainPassword "password" | Set-AzureSubnet Subnet

New-AzureVM -DeploymentName Win7VM1 -DnsSettings (New-AzureDns testdc 192.168.1.5) -VNetName VirtualLabNetwork -ServiceName appvm3 -AffinityGroup VirtualLabsGroup -VMs $appvm3

When I execute the above command, I get "The specified dns name is already taken".

I've tried removing -DnsSettings in the New-AzureVM command but that too is not working for me.

Please suggest if I'm doing anything wrong here.

However, manually, I'm able to join the domain.

Thanks

Ankit

↧

Custom Domain Name - 123 reg

January 8, 2014, 5:15 am

≫ Next: ERROR_VPN_REFUSED 808

≪ Previous: Virtual Machine is unnable to join to domain using Powershell cmdlets

Hi,

After following the documentation found here on the manage domains portal I am still getting a 404.

I can code, I have a degree in IT but I am not big on networking and I am not having much fun with this DNS management stuff. Below is are screen shots of the details I have entered.

<label for="ws-manage-domains-ip-address" style="display:block;font-size:11px;line-height:11px;font-family:'Segoe UI Semibold';text-transform:uppercase;margin-bottom:7px;float:left;">THE IP ADDRESS TO USE WHEN YOU CONFIGURE A RECORDS</label>

137.117.224.218

And these are the details I entered in my domain name provider 123 reg

Well I tried to enter them but I got the message Body text cannot contain images or links until we are able to verify your account

WELL THANKS FOR THE HEADS UP LET ME WASTE MORE OF MY TIME.

DNS ENTRY	TYPE	PRIORITY	TTL	DESTINATION/TARGET
*	A			81.21.76.62

81.21.76.62

mx0.123-reg.co.uk.

mx1.123-reg.co.uk.

awverify

CNAME

awverify.jjgallagher...

www

137.117.224.218

Any help with this would be greatly appreciated. It has been a couple of weeks I have been trying to get this sorted now. Many thanks Joe

↧

ERROR_VPN_REFUSED 808

January 8, 2014, 6:56 am

≫ Next: I can not enable site-to-site connectivity

≪ Previous: Custom Domain Name - 123 reg

Hey,

Im trying to create a VPN connection between Windows Azure and my local network. When im trying to connect Windows Azure with this command "Connect-VPNS2Sinterface -Name (IP-address)". I get this message:

"The network connection between your computer and the VPN server could not be established because the remote server refused the connection. This is typically caused by a mismatch between the server's configuration and your connection settings. Please contact the remote server's Administrator to verify the server configuration and your connection settings."

RRAS is active and everythings seems good but somethings is wrong and i dont know what it is, please help me.

Best regards
Steven

↧

I can not enable site-to-site connectivity

January 9, 2014, 7:03 am

≫ Next: My Azure VM cannot communicat outbound to our On-Premise Local Network via Site-to-Site Virtual Network connection

≪ Previous: ERROR_VPN_REFUSED 808

The site-to-site connectivity box is greyed out and I can't figure out how to enable it. I need to create a site-to-site VPN connection, HELP?

↧

My Azure VM cannot communicat outbound to our On-Premise Local Network via Site-to-Site Virtual Network connection

January 9, 2014, 12:35 pm

≫ Next: Virtual network between VM-s is extremely slow

≪ Previous: I can not enable site-to-site connectivity

We have a Site-to-Site IPSEC VPN link established with our Azure Virtual Network. Created an Azure VM and DHCP correctly assigned an IP from the Virtual Networks subnet as well as our local DNS servers. From On premise I can ping that Virtual Networks private IP address, RDP to the Azure VM, file copy from our local network to the Azure VM.

However, once on the Azure VM I cannot ping the Gateway assigned to it, ping any clients on our local network even the client I am RDP.

↧

Virtual network between VM-s is extremely slow

January 10, 2014, 12:21 am

≫ Next: VMs in virtual network w/ STS lose connectivity

≪ Previous: My Azure VM cannot communicat outbound to our On-Premise Local Network via Site-to-Site Virtual Network connection

I have three VM-s running on Windows Azure:

- AD server (small instance)
- MSSQL (medium instance)
- SP2013 (medium instance)

Machines are connected using Virtual Network and this network doesn't have any connections with on-premises environments.

For some reason the farm installation works extremely slow - everything takes long time if it is about network.

I checked the following:

CPU consumption on all machines is low or near average
Machines have enough memory
There doesn't seem to be problems with discs (no high disk queue detected)

Network related issued I detected:

Data communication between MSSQL and SharePoint is smaller than usual
Maximum network speed I see between these two is somewhere around 800 kbps
SharePoint complaints about slow SQL queries

What I can do to optimize my virtual network?

With best regards,
Gunnar Peipman

Also visit my ASP.NET and SharePoint blog!

↧

VMs in virtual network w/ STS lose connectivity

January 10, 2014, 5:11 am

≫ Next: HTTP traffic does not reach VM in Azure via VPN

≪ Previous: Virtual network between VM-s is extremely slow

I'm having multiple issues with azure VMs that have a similar theme. I configure a VM and some services running on it, everything is working great, I sign off and never touch the VM again, and a day or two later it's no longer working.

In this specific case, I have configured ADFS 2.1 on a Windows Server 2012 R2 VM. The VM is joined to a domain. The domain controllers are on-premises. The VM is part of a virtual network that is connected to the on-premises network via a site-to-site gateway.

Within 24-48 hours of starting the VM, I'll realize that ADFS has stopped working. When I look in the event log, I'll see things like:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

An error was encountered during certificate rollover. The monitoring cycle was shut down. 

Exception details: 
The directory service is unavailable.

When the VM first starts, I can ping the domain controller from the VM, and tracert looks normal. Once the problems start, I can still ping the DC, but tracert gives "Request timed out" after the first hop (which is to the ip assigned to the VM). The other thing I notice is that the name of the network adapter changes. When I start the VM, it will be "Microsoft Hyper-V Network Adapter #2". When I come back a day or two later to check on the VM because it's failing, the name will have changed to "Microsoft Hyper-V Network Adapter #3" (and then #4, #5, etc).

Restarting the VM restores all connectivity to the on-premises domain controllers, ADFS starts working again, etc. But why do I have to constantly reboot, and how can I troubleshoot this?

Edit:

Actually, I misspoke. tracert to the dc always gives "Request timed out" after the first hop, even when the VM is first started and ADFS is working. is that expected?

↧