Quantcast
Channel: Azure Networking (DNS, Traffic Manager, VPN, VNET) forum
Viewing all 6513 articles
Browse latest View live

Can't establish Point-to-Site OpenVPN connection to Azure (keeps resetting)

January 29, 2019, 4:33 am
$
0
0
Can't figure out what's happening. Looks like Azure gateway keeps resetting the connection but no idea why. Can't find any logs in Azure to check either.

Config file downloaded from Azure, so it should be correct. Certs seem to be working fine as well as authentication passes. But when it comes to establishing the tunnel link, the connection is reset.

OpenVPN client log:

Mon Jan 28 16:43:31 2019 MANAGEMENT: >STATE:1548693811,RESOLVE,,,,,,
Mon Jan 28 16:43:31 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]51.xxx.xxx.xxx:443
Mon Jan 28 16:43:31 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Jan 28 16:43:31 2019 Attempting to establish TCP connection with [AF_INET]51.xxx.xxx.xxx:443 [nonblock]
Mon Jan 28 16:43:31 2019 MANAGEMENT: >STATE:1548693811,TCP_CONNECT,,,,,,
Mon Jan 28 16:43:32 2019 TCP connection established with [AF_INET]51.xxx.xxx.xxx:443
Mon Jan 28 16:43:32 2019 TCP_CLIENT link local: (not bound)
Mon Jan 28 16:43:32 2019 TCP_CLIENT link remote: [AF_INET]51.xxx.xxx.xxx:443
Mon Jan 28 16:43:32 2019 MANAGEMENT: >STATE:1548693812,WAIT,,,,,,
Mon Jan 28 16:43:32 2019 MANAGEMENT: >STATE:1548693812,AUTH,,,,,,
Mon Jan 28 16:43:32 2019 TLS: Initial packet from [AF_INET]51.xxx.xxx.xxx:443, sid=21add8ff 47fc7a94
Mon Jan 28 16:43:33 2019 VERIFY OK: depth=2, C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Mon Jan 28 16:43:33 2019 VERIFY OK: depth=1, C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Mon Jan 28 16:43:33 2019 VERIFY KU OK
Mon Jan 28 16:43:33 2019 Validating certificate extended key usage
Mon Jan 28 16:43:33 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jan 28 16:43:33 2019 VERIFY EKU OK
Mon Jan 28 16:43:33 2019 VERIFY X509NAME OK: C=US, ST=Washington, L=Red    Mond, O=Microsoft Corporation, CN=aaa.vpn.azure.com
Mon Jan 28 16:43:33 2019 VERIFY OK: depth=0, C=US, ST=Washington, L=Red    Mond, O=Microsoft Corporation, CN=aaa.vpn.azure.com
Mon Jan 28 16:43:56 2019 Connection reset, restarting [0]
Mon Jan 28 16:43:56 2019 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jan 28 16:43:56 2019 MANAGEMENT: >STATE:1548693836,RECONNECTING,connection-reset,,,,,
Mon Jan 28 16:43:56 2019 Restart pause, 5 second(s)
Mon Jan 28 16:44:01 2019 MANAGEMENT: >STATE:1548693841,RESOLVE,,,,,,

Search

Missing documentation on max/default limit for public IP's on a single NIC in Azure

July 16, 2019, 8:09 am
$
0
0

I haven't been able to find a maximum or default limit in Azure documentation for the max amount of public IP addresses that can be assigned to a single network interface. Private IP address max is 256 I believe, but haven't seen anything for public IP - I imagine it would be the same but just wanted to confirm. Thank you.

Is it possible to skip/postpone DNSvalidation when adding a custom hostname to an app service or front door?

June 28, 2019, 6:53 am
$
0
0

Hi All

Does anyone know of a way that we can complete the configuration of a custom hostname binding on an appservice hosted website, or front door front-end server before the DNS has been configured?

We are looking at moving a significant number of sites over in the near future and would make the transition a lot smoother if we could configure the Azure end ready before the DNS records have been updated. I'm specifically concerned about users hitting the servers between when we update the DNS records and us getting everything configured on Az

Thanks in advance for any thoughts you have

Mark


Azure VPN Subnet capabilities

July 16, 2019, 7:43 am
$
0
0

Looking for experts to chime in on design information on Azure VPN Gateway Configurations.  Current documentation docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq states that the subnet on a VPN gateway is recommended to be a /27 range which in most cases will get you @30 ip addresses.  My question is specifically for planning and design, what would I use 30 IP addresses for(services, virtual nic, other things?) in that subnet, the documentation already states I cant put VM's out there, what ip based services should I be planning for that will use up the /27 recommended range as opposed to a /28 or /28 - What do I need to plan for that I am missing?

Murray

Traffic Manager issues - SSL monitoring endpoint and status descriptions

October 25, 2011, 5:13 am
$
0
0

Hi,

We're using the Traffic Manager CTP on our current project and have a couple of issues.  Not sure how to raise these formally (if we even can?) so thought I'd raise them here for now!

The first and main issue is to do with the Monitoring Endpoint configuration.  We only expose our public service endpoints over SSL on port 443, however this is causing issues with the monitoring capabilities in Traffic Manager.  I've configured the the protocol (HTTPS) and port (443) and relative path, and I can browse to this path fine, however Traffic Manager always reports the service as 'Offline'.  It works fine with services exposed over HTTP.

One thought on a cause may be that the call is failing due to an invalid SSL certificate?  Our services have SSL certs for their relevant external domain, however when accessed at myservice.cloudapp.net the SSL cert is obviously invalid.

So - is this a known issue?  Is so, does anyone know if a fix is planned?  And are there any work-arounds (other than exposing the services to port 80 just to get the monitoring to work!)?

The second point is a minor one to do with terminology, if you have a policy with a single hosted service, and that service shows as 'Offline', the policy status only shows as 'Degraded', however perhaps that should also show 'Offline' if all services are in that state?

Thanks in advance for any feedback!

Ben

Unable to delete Virtual Network, Network Interface, VirtualNetworkTap

July 10, 2019, 4:20 am
$
0
0

I have virtual network "abc" created with connected devices, subnet(default), address space. 

and Network interface "xyz" created with virtual network "abc" with default subnet and NetworkTap.

above all resources are in single resource group, I want to delete resource group with all resources, not even deleting any resources individually.

pls help me out with these issues 


Using Azure firewall's private IP for routing to VNET resources

July 16, 2019, 11:35 pm
$
0
0

Hi,

I just wanted to know whether we can use Azure firewall's private IP to route to resources located in same VNET.

In our scenario we have one VNET and in that there are 2 subnets communicating with each other using private addresses. So is it a good practice to place firewall in between those subnets.

Thanks,

Pradeep

Azure Active/Active VPN with Dual FortiGate Firewalls

July 4, 2019, 9:37 pm
$
0
0

Hi

We are trying to create a redundant VPN configuration. 

- We have one Active/Active VPN Gateway in Azure with two public IPs and BGP enabled

- We have two FortiGate Firewalls configured in Active / Active configuration and internet connection terminated on both firewalls hence having two public IPs as well.

We are trying to create Two Site to Site VPN to Azure from each of the public IP on the FortiGate firewalls.

The idea is if one of the Azure Gateway or one of the Firewalls or one of the ISP goes offline, we still have connectivity.

We have successfully configured two VPN tunnel for each Public IP on the Firewall to both Azure Gateways (Active/ Active) using BGP.

The problem is traffic flow where we have intermitted drops and unable to communicate with virtual machines

where VM in that VNet is trying to send traffic via one gateway while BGP in Azure is trying to talk to firewall using the second gateway and vice versa.


Does anyone have any experience around Azure Active/Active VPN with FortiGate Active/Active Firewalls using BGP?? Any help would be great.

Thanks.

Regards









Search

SCTP on Azure VNet S2S connection

July 3, 2019, 12:01 am
$
0
0

Hello All

I am working on a project to migrate a telco software to Azure and I have a specific technical question in this context.

  1. Does a direct ExpressRoute connection between a corp on-premises network and an Azure VNet allow/support SCTP (Stream Control Transmission Protocol) protocol?
  2. If not, does a VPN Site-to-Site connection allow/support SCTP?
  3. Can we create an IPSec tunnel on either of these connections?

Thanks in advance
Ravi

Error associating hub and site

July 9, 2019, 11:50 am
$
0
0

Hi,

I am creating a new MS Wan.  When I try to associate the site and hub, I receive the following error:

{ "status": "Failed", "error": { "code": "ResourceDeploymentFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "ConnectionOverlappingAddressSpaces", "message": "This gateway connection creates an address space overlap between two networks. The overlapping addresses are '10.1.100.0/24' and '10.1.100.0/24'.", "details": [] } ] } }

Has any one seen this?  When I try to change the overlapping IP.  It won't let me.

Migrating from Classic Cloud Service - With Reserved IP Address

July 9, 2019, 6:45 pm
$
0
0

Hello,

I have a classic Cloud Service Web App that is utilizing a Reserved IP Address. We offer LDAP authentication as an option, and we provide the Reserved IP address so our customers can whitelist the address. 

I'm migrating to an ARM App Service, and would like to bring that Reserved IP address along. Is that possible?

Thanks for the help!

VM in VNet connected to ExpressRoute can't connect to internet

June 28, 2019, 11:29 pm
$
0
0

Hi all, I have an ExpressRoute connecting an on-prem network to a VNet.  I have an Ubuntu VM in that VNet which I can successfully SSH to, ping etc from my workstation.  However this VM cannot access the internet.  I can't see anything in the NSG attached to the VNet that appears to be blocking outgoing traffic but I'm no expert at this so who knows.  FYI the VM does not have a public IP (dictated by policy) and a static local IP. 

How can I start debugging blocked outgoing traffic form a VM?

Is there a MaxRequestHeadersTotalSize setting for Azure Application Gateway?

July 8, 2019, 12:04 pm
$
0
0

Our AKS cluster is now "fronted" with an Azure Application Gateway.

When I log in our custom asp.net core 3.0 app with Azure AD authentication, I get:

<center>

400 Bad Request

</center><center>Request Header Or Cookie Too Large</center>
<center>Microsoft-Azure-Application-Gateway/v2</center>

Previously - when running in Webapps for containers, we were able to resolve that issue with the following setting:

.ConfigureKestrel(

(context, options) =>{options.Limits.MaxRequestHeadersTotalSize = 50 * 1024;}

)

So is this a settings that is available in the Application Gateway as well?

--

Apart from that, my colleagues are not having this issue, so it seems to be linked with all the claims/groups in Azure AD linked to my AD account. Filtering on the claims in the cookies sent back an forth could be a more future proof solution, although that is off-topic here ;)

--

cfr. https://twitter.com/IBruyninckx/status/1148255152157184001?s=20

VNet Peering across Azure Tenant

July 10, 2019, 2:34 pm
$
0
0

Hi,

One of my customer want to connect two Azure VNET between their tenant and the tenant of one of their business partner.  Can we use VNet Peering.  Azure VPN Gateway has bandwidth limitation and they need to exchange stream with 10 Gb line.

Any advice or recommandation?

Thanks

Christophe

How do you block a URL path with Azure Application Gateway?

July 11, 2019, 12:08 pm
$
0
0

I'm currently testing out Azure Application Gateway (Standard v2).

What I'm trying to do is block / blackhole / reject traffic that hits example.com/manager/, or example.com/admin/*, etc.

I'm sure this probably could be done with an additional web server and path-based rules pointing to it, but that seems a bit excessive for what I'm hoping would be native functionality or options to take care of this.

I found a post on TechNet that asked a very similar question, but unfortunately has no answer. https://social.technet.microsoft.com/Forums/en-US/d5093237-36ce-4082-99c9-f14dd3faf715/block-a-url-path-with-azure-application-gateway?forum=websitesvirtualmachinesonwinserver&prof=required

Thank you!

Search

Is there a way to kill a P2S client connection - before we revoke a client cert?

July 11, 2019, 1:32 pm
$
0
0

We have a client (on azure classic), using p2s VPN, each client has their own client cert on the SSTP vpn.     For a fired employee, how to we immediately kill the VPN "connection" for that one user so when they try to reconnect, our revoked cert takes over to block them?    During all this - we would be removing rights to server resources but want to kill the VPN connection at the same time.

Too many 500 error responses while setting reverse-dns

July 18, 2019, 6:26 am
$
0
0

I am trying to setup reverse-dns for one of my public ips but I am getting this error:

request failed: Error occurred in request., RetryError: HTTPSConnectionPool(host='management.azure.com', port=443): Max retries exceeded with url: /subscriptions/xxxxxx/resourceGroups/xxxxx/providers/Microsoft.Network/publicIPAddresses/xxxx?api-version=2019-04-01 (Caused by ResponseError('too many 500 error responses',))

This is the command I am using (I already have a DNS label setup):

az network public-ip update --resource-group xxxx --name xxxx --reverse-fqdn xxxx

Please help. Thanks!

I replaced the original values by xxxx ;)

Network Wacther Connection troubleshooter internal server occured

July 18, 2019, 7:42 am
$
0
0

I am exploring network watcher and getting following errors. None of the errors are really helpful to understand what is the issue. I have installed network watcher agent and enable network watcher for the region.

I have created a new connection monitor but it is not getting started and saying an error occurred.

I am trying to troubleshoot connection between two virtual machines in the same subnet using Network Watcher Connection troubleshooter and i am getting  internal server error



CNAME not recognized, cannot validate subdomain

July 18, 2019, 2:35 pm
$
0
0

Hi,

despite me adding a CNAME on the DNS user interface of my domain provider I cannot validate a www subdomain for my website.

I correctly redirected the root domain using an A type entry and a TXT one, but when it comes to add a CNAME nothing changes despite following correctly the instructions and waiting more than 48 hours the button to add the domain on Azure is greyed out and the ownership of the domain is still labeled in red as missing. What is happening?

Can this be related to the datacenter choice I made for my app service and database (north europe instead of the default one) ?

Thanks in advance for any help.

Web App Regional VNet integration Outbound IPs and Azure SQL Service Endpoints

July 19, 2019, 3:29 am
$
0
0

Hi All,

I am trying to secure an Azure web app to Azure SQL(PAAS) using Regional VNet integration (new style) and service endpoints. I would like to turn off "Allow Azure services to access server" and allow the VNet to access the DB through the SQL firewall

Can somebody who has tested this confirm if calls from Web apps to the Azure SQL DB come from the VNet or from the Public IP when using new Regional VNet integration?

I have seen 2 conflicting links:

https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview#limitations


For Azure SQL Database, the virtual network rules feature has the following limitations:

  • A Web App can be mapped to a private IP in a VNet/subnet. Even if service endpoints are turned ON from the given VNet/subnet, connections from the Web App to the server will have an Azure public IP source, not a VNet/subnet source. To enable connectivity from a Web App to a server that has VNet firewall rules, you must Allow Azure services to access server on the server.

Vs

https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#regional-vnet-integration

Regional VNet Integration

When VNet Integration is used with VNets in the same region as your app, it requires the use of a delegated subnet with at least 32 addresses in it. The subnet cannot be used for anything else. Outbound calls made from your app will be made from the addresses in the delegated subnet. When you use this version of VNet Integration, the calls are made from addresses in your VNet.

Regards,

James

Viewing all 6513 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>