Troubleshoot VPN virtual network gateways and connections using the Azure CLI
In this article, you learn how to use Network Watcher VPN troubleshoot capability to diagnose and troubleshoot VPN virtual network gateways and their connections to solve connectivity issues between your virtual network and on-premises network. VPN troubleshoot requests are long running requests, which could take several minutes to return a result. The logs from troubleshooting are stored in a container on a storage account that is specified.
Prerequisites
An Azure account with an active subscription. create an account for free.
A Network Watcher enabled in the region of the virtual network gateway. For more information, see Enable or disable Azure Network Watcher.
A virtual network gateway. For more information, see Supported gateway types.
Azure Cloud Shell or Azure CLI.
The steps in this article run the Azure CLI commands interactively in Azure Cloud Shell. To run the commands in the Cloud Shell, select Open Cloud Shell at the upper-right corner of a code block. Select Copy to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.
You can also install Azure CLI locally to run the commands. If you run Azure CLI locally, sign in to Azure using the az login command.
Troubleshoot using an existing storage account
In this section, you learn how to troubleshoot a VPN virtual network gateway or a VPN connection using an existing storage account.
Use az storage account show to retrieve the resource ID of the storage account. Then use az network watcher troubleshooting start to start troubleshooting the VPN gateway.
# Place the storage account ID into a variable.
storageId=$(az storage account show --name 'mystorageaccount' --resource-group 'myResourceGroup' --query 'id' --output tsv)
# Start VPN troubleshoot session.
az network watcher troubleshooting start --resource-group 'myResourceGroup' --resource 'myGateway' --resource-type 'vnetGateway' --storage-account $storageId --storage-path 'https://mystorageaccount.blob.core.windows.net/{containerName}'
After the troubleshooting request is completed, Healthy or UnHealthy is returned with action text that provides general guidance on how to resolve the issue. If an action can be taken for the issue, a link is provided with more guidance.
Additionally, detailed logs are stored in the storage account container you specified in the previous command. For more information, see Log files. You can use Storage explorer or any other way you prefer to access and download the logs. For more information, see Get started with Storage Explorer.
Troubleshoot using a new storage account
In this section, you learn how to troubleshoot a VPN virtual network gateway or a VPN connection using a new storage account.
Use az storage account create and az storage container create to create a new storage account and a container respectively. Then, use az network watcher troubleshooting start to start troubleshooting the VPN gateway.
# Create a new storage account.
az storage account create --name 'mystorageaccount' --resource-group 'myResourceGroup' --location 'eastus' --sku 'Standard_LRS'
# Get the storage account keys.
az storage account keys list --resource-group 'myResourceGroup' --account-name 'mystorageaccount'
# Create a container.
az storage container create --account-name 'mystorageaccount' --account-key {storageAccountKey} --name 'vpn'
# Start VPN troubleshoot session.
az network watcher troubleshooting start --resource-group 'myResourceGroup' --resource 'myGateway' --resource-type 'vnetGateway' --storage-account 'mystorageaccount' --storage-path 'https://mystorageaccount.blob.core.windows.net/vpn'
After the troubleshooting request is completed, Healthy or UnHealthy is returned with action text that provides general guidance on how to resolve the issue. If an action can be taken for the issue, a link is provided with more guidance.
Additionally, detailed logs are stored in the storage account container you specified in the previous command. For more information, see Log files. You can use Storage explorer or any other way you prefer to access and download the logs. For more information, see Get started with Storage Explorer.
Related content
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for