Quantcast
Channel: Azure Networking (DNS, Traffic Manager, VPN, VNET) forum
Viewing all 6513 articles
Browse latest View live

PAN-2-DMZ and WEBSERVER

February 14, 2019, 3:20 pm
$
0
0

Hello Everyone,

 i have been working on azure and i have come across an issue . i want to deploy two or more web servers on different subnets for proof of concept for my client . i am able to configure only one web server and now i am wondering how would i be able to configure another web server when I have one firewall with one outside-interface and one public ip is binded to it . 
on premise solution is that we have pool of public ip on outside interface and i can NAT it to any web server or DMZ the way i want but in azure cloud i am wondering how can i replicate same behavior ?
can you kindly help me out , any documentation or video that i can check for it
P.S. my current topology has one firewall , 2 web server ( in different subnets) and i have two Route-Table for each server.

Regards

Sadaat

Search

Access the vm Ubuntu azure from multiple ip public via ssh

March 20, 2019, 3:14 pm
$
0
0

I created a new linux vm :Ubuntu in azure The model is d4_v3 it has the possibility multiple nic My issue is to create 2 public ip in the same vm

I already create 2 nic cards and i had 2 public ips, so i want to access to the vm via the two public ips via ssh, the first ip is working for ssh but the second is not, i checked the ifconfig and found eth0 and eth1?

How can i get that the vm is accessible via the two ip public? Thanks indeed

Not able to Create Linux NVA with Availability Zone

March 11, 2019, 5:27 am
$
0
0

Hi,

I am not able to create Availability Zone with Linux NVA. Wherever i am trying to create NVAs i am getting error availability zone is not supported by Region and if i change Region then getting error instance is not available in that Region.

I tried same above steps with multiple regions & instance Size but no Luck.

Please confirm a best Region and instance Size which supported by Availability zone for Linux NVA.

Running a query for Web Application firewall to fetch attack logs

March 20, 2019, 8:11 am
$
0
0

Hi all,

I need to run a query to retrieve the following details on Azure Web application Firewall. The result should contain the following details.

URL of the website, Client IP address, Security Alert ID, Security Alert Name , Security Alert description.

Is it possible to get the above details from a single query. While checking I could see that the website name and client IP address are in the table AzureDiagnostics and the remaining parameters are in the table SecurityEvents. Can some one assist. 

VPN showing Connected but still not able to ping from VMs to onpremise device (Site-to-Site VPN)

March 21, 2019, 12:35 am
$
0
0

Hi Support, 

We would like your assistance if you can advise if my configuration on setting up the Virtual Network IP Address in Azure cloud is doable or not. below is my IP address range that I <g class="gr_ gr_675 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" data-gr-id="675" id="675">setup</g> on Azure. 



Virtual Network (Address Space) - 172.16.0.0/16

Connected Devices to all VMs - using the 172.16.20.0/24 block

Subnets

AzureLAN - 172.16.20.0/24

GatewaySubnet - 172.16.0.0/28

Visual Studio Enterprise – MPN subscription not support Availability Zone

March 20, 2019, 11:17 pm
$
0
0

Hi All,

During the Azure Deployment in my LAB i faced the issue with Visual Studio Enterprise – MPN subscription where I am not able to deploy NVAs in France Central Location but its work fine in Central US location.

Any one can confirm if any limitation is there with Visual Studio Enterprise – MPN subscription.

Please note I am using JSON script and i did testing with Same script however miner edit I did in script to update the deployment Location (France Central / Central US) for respective testings.

Sandeep

Replace certificate Azure Point to Site

July 30, 2015, 1:15 am
$
0
0

Hi all,

We have setup a Point to Site VPN in Azure for a customer. This is done by a former colleague. We haven't use the VPN for a while. But now, I'm trying to connect the VPN again, but I get the error: A certificate could not be found that can be used with this Extensible Authentication Protocol. I have reinstalled my laptop with Windows 10, so that could be the reason for missing the certificate. Problem, I can't find the root and client certificate anymore...

So, I decide to delete the current certificate in Azure VPN and create a new one. I uploaded the new root certificate to Azure en installed the client certificate on my laptop (current user, personal). Removed the old VPN client and downloaded again from the Azure portal. But I keep getting this error:

A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)

I tried to configure manually a VPN connection and point to the client certificate, but still no connection... I keep getting this error...

Do I need to change some other settings?Please, help :)

Best regards,

Koos


Download VPN configuration failing to create configuration file

March 4, 2019, 5:38 am
$
0
0

https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal

Im following Step 7. of this guide and the storage blob gets created however the vpn configuration file is empty.

It appears that the blob gets created and populated successfully.

Search

Site-to-Site VPN, address space & NAT

March 21, 2019, 7:51 am
$
0
0

Hi,

I've configured an Azure VNET to connect an AppService with an external web service from a partner company. The web service is not exposed via public internet, so a VPN (site-to-site connection, vnet gateway and so on...) has been established to access the service from my appservice. No issues at this point.

Now, I have another partner and a similar scenario... I need to connect another web service, and I'll need to configure another site-to-site connection.

My problem is that the address space configured from my vnet (10.0.0.0/26) is already reserved and not available in the second providers' network.

I've been asked to NAT the 10.0.0.0/26 addresses to another range so there's no overlapping between both sites, but I don't know if this is possible to do at all and for what I've read it is not supported at all.

So, my question is... how I'm supposed to tackle this issue. I mean, there should be some way to NAT those addresses somehow as it is impossible to ensure that a specific address range will always be available for current or future partners. It seems quite a common scenario for me.

Thanks!

Rodrigo.

Connecting client Machines using my VNET

March 21, 2019, 11:34 am
$
0
0

Hello,

I recently created a VNET in Azure. I have a couple of machines successfully connected to my VNET but I cannot get them to connect to each-other via RDP.  My machines are connected to different Wifi networks at different location and I want to be able to RDP from one into another (which is why I setup a VPN to begin with).  Any ideas on what I may need to do to accomplish this?   Right now I have a VNET, VNETGateway and VNETGatewaypip setup.  Am I missing anything in my Architecture?

Thanks, 

Express route Deployment

February 22, 2019, 12:00 pm
$
0
0

Hello Team, 

Hope some one can guide me on one of our Clients requirement here..

Our client has some number of VM's in IAAS Environment. They are also using O365 Products on Azure over Internet. They wanted to deploy express route from their azure environment to O365 cloud. Is that possible...if so ..could you please suggest on how to go about it..

Thanks 

BKFS. 


How to change DNS

March 21, 2019, 12:52 pm
$
0
0

Change DNS on gateway w/o breaking connection --- We would like to completely update the DNS on our gateway (remove all/both current IPs and add two new ones). However we do not wish to rebuild the connection and we are trying to mitigate downtime.

any suggestions please.

POINT TO SITE- VPN(UBUNTU 18.04)

July 23, 2018, 1:37 am
$
0
0

Team,

I have created point to site setup, its perfectly working fine with Windows machine. But when i try to use it with Ubuntu machine i am not getting option to select with IPSec/IKEv2 as mentioned in MS link. 

Ubuntu version i am using: 18.08

StrongSwan version : 5.6.3

Force traffic to Storage Account to go over Internet rather than Azure backbone

March 22, 2019, 4:18 am
$
0
0

Hi,

Is there a way to force traffic to Storage Account to go over Internet rather than Azure backbone? My scenario:

- Two Azure Tenants T1, T2
- T1 has Storage Account with Firewall enabled and restricted traffic to one of the T1's subnets
- T2 would like to access the SA in T1 through a public IP address exception in the SA's firewall
- We can't do Vnet peering between T1 and T2 for certain reasons

Is there a way to force traffic from T2 to T1's Storage Account to go over Internet rather than let Azure to route it over the Azure backbone?

Microsoft's doc says:

"If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Traffic between Azure services does not traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in. You can override Azure's default system route for the 0.0.0.0/0 address prefix with a custom route."

In T2, as a test, I have deployed:

- Vnet
- AzureFirewallSubnet and Azure Firewall
- Subnet1

I've created a Route Table on Subnet1 with a Virtual Appliance Rule to go from 0.0.0.0/0 to the AF's private IP. It seems route the traffic to Storage Account through AF's firewall. However, it seems that as soon as a request from a VM in Subnet1 to the Storage Account reaches AF, it's routed through Azure backbone rather than AF's public IP.

Could you please advise, is there a way to force the traffic to go through the AF's public IP?


Health probe on V2 Application Gateway giving false positive

March 22, 2019, 5:08 am
$
0
0

Hi,

A V2 application gateway with the default health probe is returning a health status of healthy for my web server. This is a false positive as i have turned off IIS on the server specically to test the probe/load balancing.

The V1 application gateway i created is giving me the correct health status for the same server.

Is there any known issues with the V2 health probe? If so are there any work arounds or fixes?

Thanks



Search

A policy-based VPN gateway cannot have more than one connection. If you would like to add a different connection, please first delete this gateway’s existing connection.

March 19, 2019, 5:36 am
$
0
0

I'm getting that error after I <g class="gr_ gr_25 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" data-gr-id="25" id="25">setup</g> a VPN tunnel using Cisco ASA 5512-X (Version 9.2(2)4). I used in Azure is policy Based VPN type and I have 6 VMs connection on my Virtual Network with the IP range 172.16.20.0/24. Please advise if I need to <g class="gr_ gr_295 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" data-gr-id="295" id="295">setup</g> in Azure VPN type is Routed Based and my Cisco ASA 5512-X (Version 9.2(2)4 ) is IKv2 version. Please check and advise. 

My initial intention is I need to connect two VPN sites (On-premise) with 2 public IP to a single Virtual Network Azure (see the attached diagram). Do I need to connect <g class="gr_ gr_915 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="915" id="915">site</g> to site connection on both public <g class="gr_ gr_959 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="959" id="959">IP</g> before I configure the PowerShell because this would be a site to <g class="gr_ gr_1123 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1123" id="1123">multisite</g><g class="gr_ gr_1125 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation multiReplace" data-gr-id="1125" id="1125">connection.</g> 


P2S VPN Client rename

March 19, 2019, 1:09 am
$
0
0

Hello,

is there a way to rename the P2S client on Windows? Renaming the connection name under connection properties breaks the functionality of the VPN client. And since I have multiple "Hub" VNets... you know.

Cheers, Matt

Looping Connection Reset in OpenVPN with cert auth

March 14, 2019, 10:33 pm
$
0
0

Hi guys,


I'm wondering if anyone has hit this issue before or knows where to try and look? So we've configured OpenVPN with an enterprise cert auth - and the authentication succeeds, however when we are trying to connect, it appears to be stuck in a loop without any reason for resetting the connection. Here is the log from OpenVPN:

Fri Mar 15 16:13:56 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Fri Mar 15 16:13:56 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Mar 15 16:13:56 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Fri Mar 15 16:13:56 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Fri Mar 15 16:13:56 2019 Need hold release from management interface, waiting...
Fri Mar 15 16:13:57 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'state on'
Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'log all on'
Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'echo all on'
Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'bytecount 5'
Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'hold off'
Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'hold release'
Fri Mar 15 16:13:57 2019 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Mar 15 16:13:57 2019 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Mar 15 16:13:57 2019 MANAGEMENT: >STATE:1552626837,RESOLVE,,,,,,
Fri Mar 15 16:13:57 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:443
Fri Mar 15 16:13:57 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Mar 15 16:13:57 2019 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
Fri Mar 15 16:13:57 2019 MANAGEMENT: >STATE:1552626837,TCP_CONNECT,,,,,,
Fri Mar 15 16:13:58 2019 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
Fri Mar 15 16:13:58 2019 TCP_CLIENT link local: (not bound)
Fri Mar 15 16:13:58 2019 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Fri Mar 15 16:13:58 2019 MANAGEMENT: >STATE:1552626838,WAIT,,,,,,
Fri Mar 15 16:13:58 2019 MANAGEMENT: >STATE:1552626838,AUTH,,,,,,
Fri Mar 15 16:13:58 2019 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:443, sid=bdd68f7c 804b05a6
Fri Mar 15 16:13:58 2019 VERIFY OK: depth=2, C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Fri Mar 15 16:13:58 2019 VERIFY OK: depth=1, C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Fri Mar 15 16:13:58 2019 VERIFY KU OK
Fri Mar 15 16:13:58 2019 Validating certificate extended key usage
Fri Mar 15 16:13:58 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Mar 15 16:13:58 2019 VERIFY EKU OK
Fri Mar 15 16:13:58 2019 VERIFY X509NAME OK: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=xxx.vpn.azure.com
Fri Mar 15 16:13:58 2019 VERIFY OK: depth=0, C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=xxx.vpn.azure.com
Fri Mar 15 16:14:13 2019 Connection reset, restarting [0]
Fri Mar 15 16:14:13 2019 SIGUSR1[soft,connection-reset] received, process restarting
Fri Mar 15 16:14:13 2019 MANAGEMENT: >STATE:1552626853,RECONNECTING,connection-reset,,,,,
Fri Mar 15 16:14:13 2019 Restart pause, 5 second(s)
Fri Mar 15 16:14:17 2019 SIGTERM[hard,init_instance] received, process exiting
Fri Mar 15 16:14:17 2019 MANAGEMENT: >STATE:1552626857,EXITING,init_instance,,,,,


I've found this website for reference, and have already tried the suggestions in it:

https://social.msdn.microsoft.com/Forums/azure/en-US/023b18e1-877e-4ec9-b118-408bbcc95701/looping-connection-reset-in-openvpn-client-when-connecting-to-azure-p2s-gateway?forum=WAVirtualMachinesVirtualNetwork


But still getting the same issues.

Any assistance would be greatly appreciated!



Can't establish Point-to-Site OpenVPN connection to Azure (keeps resetting)

January 29, 2019, 4:33 am
$
0
0
Can't figure out what's happening. Looks like Azure gateway keeps resetting the connection but no idea why. Can't find any logs in Azure to check either.

Config file downloaded from Azure, so it should be correct. Certs seem to be working fine as well as authentication passes. But when it comes to establishing the tunnel link, the connection is reset.

OpenVPN client log:

Mon Jan 28 16:43:31 2019 MANAGEMENT: >STATE:1548693811,RESOLVE,,,,,,
Mon Jan 28 16:43:31 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]51.xxx.xxx.xxx:443
Mon Jan 28 16:43:31 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Jan 28 16:43:31 2019 Attempting to establish TCP connection with [AF_INET]51.xxx.xxx.xxx:443 [nonblock]
Mon Jan 28 16:43:31 2019 MANAGEMENT: >STATE:1548693811,TCP_CONNECT,,,,,,
Mon Jan 28 16:43:32 2019 TCP connection established with [AF_INET]51.xxx.xxx.xxx:443
Mon Jan 28 16:43:32 2019 TCP_CLIENT link local: (not bound)
Mon Jan 28 16:43:32 2019 TCP_CLIENT link remote: [AF_INET]51.xxx.xxx.xxx:443
Mon Jan 28 16:43:32 2019 MANAGEMENT: >STATE:1548693812,WAIT,,,,,,
Mon Jan 28 16:43:32 2019 MANAGEMENT: >STATE:1548693812,AUTH,,,,,,
Mon Jan 28 16:43:32 2019 TLS: Initial packet from [AF_INET]51.xxx.xxx.xxx:443, sid=21add8ff 47fc7a94
Mon Jan 28 16:43:33 2019 VERIFY OK: depth=2, C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Mon Jan 28 16:43:33 2019 VERIFY OK: depth=1, C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Mon Jan 28 16:43:33 2019 VERIFY KU OK
Mon Jan 28 16:43:33 2019 Validating certificate extended key usage
Mon Jan 28 16:43:33 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jan 28 16:43:33 2019 VERIFY EKU OK
Mon Jan 28 16:43:33 2019 VERIFY X509NAME OK: C=US, ST=Washington, L=Red    Mond, O=Microsoft Corporation, CN=aaa.vpn.azure.com
Mon Jan 28 16:43:33 2019 VERIFY OK: depth=0, C=US, ST=Washington, L=Red    Mond, O=Microsoft Corporation, CN=aaa.vpn.azure.com
Mon Jan 28 16:43:56 2019 Connection reset, restarting [0]
Mon Jan 28 16:43:56 2019 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jan 28 16:43:56 2019 MANAGEMENT: >STATE:1548693836,RECONNECTING,connection-reset,,,,,
Mon Jan 28 16:43:56 2019 Restart pause, 5 second(s)
Mon Jan 28 16:44:01 2019 MANAGEMENT: >STATE:1548693841,RESOLVE,,,,,,

S2S VPN between Azure and Cisco ASA 8.2

February 1, 2019, 1:36 pm
$
0
0

I'm trying to create an IPSec site-to-site VPN between Azure and a Cisco ASA running 8.2.  I have to use 3des sha1 dh2 for encryption. The Cisco is at a shared data center. So I don't have the option to upgrade the device or its firmware.
I've created route-based and policy-based gateways in Azure. Neither type is able to connect. I've also used the sample script to configure the connection on the Cisco.
I'd appreciate help with making the connection work.


Viewing all 6513 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>