Search This Blog

Tuesday, April 21, 2015

Diagnose Site to Site VPN to Microsoft Azure

When you want  move to hybrid cloud, the first thing that you will need to configure is site to site VPN between on-premise firewall with Azure VPN Gateway. However most of the time, configuration on Azure is straight forward before request firewall team to configure on-premise firewall.

Well out of so many deployment, we found out that there are having problem to establish the connection and the 1st question that they request is

Q1. How to verify or check log on Azure for troubleshooting purpose?

Hmm…the only way to troubleshoot and diagnose at this moment is using Powershell cmdlet.

So far, the best is using script from Technet Gallery from here. Here is one of test scenario that we have tested:

When execute the command, you need to key in Microsoft Account credential and it will list down Azure subscription

  • Enter subscription ID


  • Enter storage container that going to store the diagnostic log


  • Enter folder


  • Enter Virtual network that would like to diagnose


Enter duration of the test


Once diagnostic started, you can rdp into Azure VM and perform ping to on-premise.

After timeout, a diagnostic log is keep inside the storage account and a copy is stored on your local computer. Here is some screenshot of a sample result:


Do take note, that this is Azure Gateway Diagnostics log. You still need to check out IPSec log from your on-premise firewall Main Mode and Quick Mode connection were established, when and where the connection drops. From there you can getting a picture of the issue and understand the packey behavior on Azure as well as the VPN device side and determine where the connectivity issues.