Hello,
I have two site-to-site tunnels on my local site, connected to the same virtual gateway on my azure vNET. When I send some traffic (both ways), the virtual gateway does show some ingress and egress traffic, however both tunnels show no traffic at all. Other than that the tunnels seem to be functioning correctly, I can communicate through them and the packets are encrypted and decrypted.
How could I see the traffic actually going through my tunnels?
We have an website running under an web app service that is connected to a VNET. The VNET has a virtual machine with mongodb on it and the 2 have been succefully communicating but as of the 26th of March 2019 they suddenly cannot.
I get a connection timeout after 30ms now. We have not changed anything on azure but suddenly they cannot communicate.
Apent all day trying to figure it out with no luck.
Any Ideas?
EDIT: Adding a public IP to the mongodb virtual machine fixes the issue but is very undesirable and we would like to continue using private ip's over the VNET if possibleI am testing the azure kubernetes services for my company by creating a test application. I have used the azure cli to create my application by following the tutorials. When I use the command kubectl get service reset-script, I get the following output: (reset-script is the name of the sample app)
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEWhen I try to access http://13.68.224.119 I get ERR_CONNECTION_REFUSED. Any help would be greatly appreciated.
Hi Community,
don't be scared with the title please!
I've checked all the google results, but no luck, I clearly can't see any connected devices or any dependence, My resource llist:
C:\Users\StankoStan>az resource list --output table Name ResourceGroup Location Type Status ------------------------- ---------------- ---------- --------------------------------------- -------- NetworkWatcher_westeurope NetworkWatcherRG westeurope Microsoft.Network/networkWatchers TestBackupNSG mygroup westeurope Microsoft.Network/networkSecurityGroups MyNet-vnet mygroup westeurope Microsoft.Network/virtualNetworks Mytstorage mygroup westeurope Microsoft.Storage/storageAccounts
so MyNet-vnet is constantly refusing to be deleted, either via portal or CLI, and sometimes it takes 10-15 Minutes to complete (fail), please advise,
Stan
Hi guys,
I'm wondering if anyone has hit this issue before or knows where to try and look? So we've configured OpenVPN with an enterprise cert auth - and the authentication succeeds, however when we are trying to connect, it appears to be stuck in a loop without any reason for resetting the connection. Here is the log from OpenVPN:
Fri Mar 15 16:13:56 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Fri Mar 15 16:13:56 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Mar 15 16:13:56 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Fri Mar 15 16:13:56 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Fri Mar 15 16:13:56 2019 Need hold release from management interface, waiting...
Fri Mar 15 16:13:57 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'state on'
Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'log all on'
Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'echo all on'
Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'bytecount 5'
Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'hold off'
Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'hold release'
Fri Mar 15 16:13:57 2019 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Mar 15 16:13:57 2019 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Mar 15 16:13:57 2019 MANAGEMENT: >STATE:1552626837,RESOLVE,,,,,,
Fri Mar 15 16:13:57 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:443
Fri Mar 15 16:13:57 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Mar 15 16:13:57 2019 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
Fri Mar 15 16:13:57 2019 MANAGEMENT: >STATE:1552626837,TCP_CONNECT,,,,,,
Fri Mar 15 16:13:58 2019 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
Fri Mar 15 16:13:58 2019 TCP_CLIENT link local: (not bound)
Fri Mar 15 16:13:58 2019 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Fri Mar 15 16:13:58 2019 MANAGEMENT: >STATE:1552626838,WAIT,,,,,,
Fri Mar 15 16:13:58 2019 MANAGEMENT: >STATE:1552626838,AUTH,,,,,,
Fri Mar 15 16:13:58 2019 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:443, sid=bdd68f7c 804b05a6
Fri Mar 15 16:13:58 2019 VERIFY OK: depth=2, C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Fri Mar 15 16:13:58 2019 VERIFY OK: depth=1, C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Fri Mar 15 16:13:58 2019 VERIFY KU OK
Fri Mar 15 16:13:58 2019 Validating certificate extended key usage
Fri Mar 15 16:13:58 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Mar 15 16:13:58 2019 VERIFY EKU OK
Fri Mar 15 16:13:58 2019 VERIFY X509NAME OK: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=xxx.vpn.azure.com
Fri Mar 15 16:13:58 2019 VERIFY OK: depth=0, C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=xxx.vpn.azure.com
Fri Mar 15 16:14:13 2019 Connection reset, restarting [0]
Fri Mar 15 16:14:13 2019 SIGUSR1[soft,connection-reset] received, process restarting
Fri Mar 15 16:14:13 2019 MANAGEMENT: >STATE:1552626853,RECONNECTING,connection-reset,,,,,
Fri Mar 15 16:14:13 2019 Restart pause, 5 second(s)
Fri Mar 15 16:14:17 2019 SIGTERM[hard,init_instance] received, process exiting
Fri Mar 15 16:14:17 2019 MANAGEMENT: >STATE:1552626857,EXITING,init_instance,,,,,
I've found this website for reference, and have already tried the suggestions in it:
https://social.msdn.microsoft.com/Forums/azure/en-US/023b18e1-877e-4ec9-b118-408bbcc95701/looping-connection-reset-in-openvpn-client-when-connecting-to-azure-p2s-gateway?forum=WAVirtualMachinesVirtualNetwork
But still getting the same issues.
Any assistance would be greatly appreciated!
Hi guys,
I seem to be hitting an interesting issue with my Azure environment. When RDPing into my servers, it appears that any files which are larger than a certain size through up issues during copy/paste from my local machine. I'm going over a VPN and the RDP is fine - the moment I try to copy something (say, over 10MB), I receive an error:
An unexpected error is keeping you from copying the file. If you continue to receive this error, you can use the error code to search for help with this problem.
Error 0x800703E3: The I/O operation has been aborted because of either a thread exit or an application request.
After hitting re-try, I get "Out of memory - There is not enough memory to complete this operation."
Any ideas/tips. I've tried to have a look around, but I couldn't really find anything concrete.
Currently we have on-premise infra and have 90 VPN connections to branch sites, we use Sophos firewall's VPN feature to build VPN tunnels.
We are shifting our workloads to azure IaaS, so that existing 90 branch sites will need to connect to that Azure IaaS with S2S VPN.
I would like to know if we can use Sophos firewall's VPN feature (which is available in Azure Marketplace) without Azure VPN Gateway.
The reason is: Azure VPN Gateway has limitation (only 1 VPN Gateway can exist in one Vnet and VpnGw3 supports max. 30* S2S tunnels). And we have more than 30 branch sites so we think it’s not possible to use Azure VPN Gateway.
All ideas are welcome. And much appreciate if anyone can provide me a feasible design and possible ways for this case.
Hi all,
Is there a way to change the VNG of a VNET? It seems the VNG is attached to the VNET on creation, so is it not possible to change the VNET afterwards?
The scenario is this: We have an existing setup with a VNG which is used with S2S VPN to an on-premises FW. We have created another VNG for a test VNET where we have deployed NVAs with SD-WAN functionality. We now want to migrate to this VNG but I'm not finding a way to detach a VNG and attach another. Am I missing something?
Thanks.
Hi ,
What is the default value of Azure Site-to-Site VPN gateway?
Is this configurable ? where can I change this value?
Please help.
Regards
Thahif
Hello,
I recently created a VNET in Azure. I have a couple of machines successfully connected to my VNET but I cannot get them to connect to each-other via RDP. My machines are connected to different Wifi networks at different location and I want to be able to RDP from one into another (which is why I setup a VPN to begin with). Any ideas on what I may need to do to accomplish this? Right now I have a VNET, VNETGateway and VNETGatewaypip setup. Am I missing anything in my Architecture?
Thanks,
Hello,
We have hosted our RDS Farm and ERP Servers in Azure. our On-Prem users are Connecting to RDS Farm to Access Files and ERP Applications over Site to Site VPN.
Last Couple of days we experience a very strange situation that intermittently Remote Desktop Connectivity drops only for some users and when they try to reconnect it gives "Internal Error" Message. PING and PSPING to Port 3389 to destination VM get through even during the issue occurred but when user trying to connect it gives INTERNAL ERROR.
As a Temp Solution i change either the LAN IP of user PC having issue or disconnect and reconnect the Site-To-Site VPN Link.
soon after any of above Temp Solutions, users can connect to RDS farm.
Appreciate if anyone could share with me a way to fix the issue completely.
Regards,
Nishantha.
$resGroupName = "XXXX-APIM-prj-RG" $location = "westeurope" $vnet = Get-AzVirtualNetwork -Name AKWA_VN -ResourceGroupName XXX-APIM-prj-RG $gatewayHostname = "api.XXXX.com" # API gateway host $portalHostname = "portal.XXXX.com" # API developer portal host #$CertCerPath = Get-Content -LiteralPath C:\akwa\akwagroupcert.cer -Force -Raw # full path to api.contoso.net .cer file $CertPfxPath = "C:\akwa\XXXX.cer" $CertPfxPath = "C:\akwa\XXXX.pfx" # full path to api.contoso.net .pfx file $CertPassword = ConvertTo-SecureString -String XXXX -AsPlainText -Force # password for api.contoso.net pfx certificate $appgatewaysubnetdata = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name AKWAGW_Subnet $publicip = New-AzPublicIpAddress -ResourceGroupName $resGroupName -name "appGWPIP01" -location $location -AllocationMethod Dynamic $gipcogipconfignfig = New-AzApplicationGatewayIPConfiguration -Name "gatewayIP01" -SubnetId $appgatewaysubnetdata $fp01 = New-AzApplicationGatewayFrontendPort -Name "port01" -Port 443 $fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "frontend1" -PublicIPAddress $publicip $cert = New-AzApplicationGatewaySslCertificate -Name "akwacert01" -CertificateFile $CertPfxPath -Password $CertPassword $listener = New-AzApplicationGatewayHttpListener -Name "listener01" -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 -SslCertificate $cert -HostName $gatewayHostname -RequireServerNameIndication true $portalListener = New-AzApplicationGatewayHttpListener -Name "listener02" -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 -SslCertificate $cert -HostName $portalHostname -RequireServerNameIndication true $apimprobe = New-AzApplicationGatewayProbeConfig -Name "apimproxyprobe" -Protocol "Https" -HostName $gatewayHostname -Path "/status-0123456789abcdef" -Interval 30 -Timeout 120 -UnhealthyThreshold 8 $apimPortalProbe = New-AzApplicationGatewayProbeConfig -Name "apimportalprobe" -Protocol "Https" -HostName $portalHostname -Path "/signin" -Interval 60 -Timeout 300 -UnhealthyThreshold 8 $authcert = New-AzApplicationGatewayAuthenticationCertificate -Name 'whitelistcert1' -CertificateFile C:\akwa\akwagroup.com.cer $apimPoolSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolSetting" -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimprobe -AuthenticationCertificates $authcert -RequestTimeout 180 $apimPoolPortalSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolPortalSetting" -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimPortalProbe -AuthenticationCertificates $authcert -RequestTimeout 180 $apimService = Get-AzApiManagement -ResourceGroupName $resGroupName $apimProxyBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "apimbackend" -BackendIPAddresses $apimService.PrivateIPAddresses[0] $rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType Basic -HttpListener $listener -BackendAddressPool $apimProxyBackendPool -BackendHttpSettings $apimPoolSetting $rule02 = New-AzApplicationGatewayRequestRoutingRule -Name "rule2" -RuleType Basic -HttpListener $portalListener -BackendAddressPool $apimProxyBackendPool -BackendHttpSettings $apimPoolPortalSetting $sku = New-AzApplicationGatewaySku -Name "WAF_Medium" -Tier "WAF" -Capacity 1 $config = New-AzApplicationGatewayWebApplicationFirewallConfiguration -Enabled $true -FirewallMode "Prevention" $appgwName = "akwa-app-gw" $appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $resGroupName -Location $location -BackendAddressPools $apimProxyBackendPool -BackendHttpSettingsCollection $apimPoolSetting, $apimPoolPortalSetting -FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 -HttpListeners $listener, $portalListener -RequestRoutingRules $rule01, $rule02 -Sku $sku -WebApplicationFirewallConfig $config -SslCertificates $cert -AuthenticationCertificates $authcert -Probes $apimprobe, $apimPortalProbe -Verbose #$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $resGroupName -Location $location -BackendAddressPools $apimProxyBackendPool -BackendHttpSettingsCollection $apimPoolSetting, $apimPoolPortalSetting -FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 -HttpListeners $listener, $portalListener -RequestRoutingRules $rule01, $rule02 -Sku $sku -WebApplicationFirewallConfig $config -SslCertificates $cert -TrustedRootCertificate $cert -Probes $apimprobe, $apimPortalProbe -Verbose Get-AzPublicIpAddress -ResourceGroupName $resGroupName -Name "publicIP01"
the above is my script but I face the below error
<g class="gr_ gr_34 gr-alert gr_gramm gr_hide gr_inline_cards gr_run_anim Style multiReplace replaceWithoutSep replaceWithoutSep" data-gr-id="34" id="34">New-AzApplicationGateway :</g> Cannot parse the request.Hello,
I have a site-to-site VPN connection to a UBNT EdgeRouter that was working for several months but just broke. There have been no configuration changes since it was configured initially.
Here are screenshots of some diagnostics:
Can anyone recommend troubleshooting steps? I'm not well-versed in this area and just gathered the minimum knowledge to configure the connection initially, which I have now forgotten since I haven't revisited it in a long time.
Thank you,
Mitch
Hi
I'm trying to set up a VPN in an Azure virtual network but I can't find anything on the differences between a local network gateway and a virtual network gateway. The only difference I can find is in the store description. The virtual network gateway seems to says that 99.9% SLA and ExpressRoute is supported while the local one doesn't mention this. Is this the only difference between the two? I want to use one of these gateways for connecting multiple pfSense boxes in physical locations to the Azure network via OpenVPN.
Thanks in advance
Abdullah Seba
We are in the process of designing a cloud platform for a customer and they have multiple physical sites they would like to connect to the proposed Azure cloud platform. They also have several traveling users that will need to connect to this proposed virtual network while on the road. Does MS support have a recommended VPN solution that would best fit our need? Obviously we are looking for a solution with the lowest maintenance.
Any suggestions\best practices team?
During DCPromo, below error appear
Verification of replica failed. The wizard cannot access the list of domains in the forest. The error is :
The specified network name is no longer available
Change DNS on gateway w/o breaking connection --- We would like to completely update the DNS on our gateway (remove all/both current IPs and add two new ones). However we do not wish to rebuild the connection and we are trying to mitigate downtime.
any suggestions please.