Troubleshooting Site-to-Site (S2S VPN) connections on HNV gateway

For diagnosing and troubleshooting issues on Windows Server 2012 R2 Hyper-v Network Virtualization (HNV) gateway (GW) the following mechanisms are available:

This blog covers other tools that help in troubleshooting and diagnosing issues on HNV gateway.

Unified Tracing (UT)

Unified tracing (UT) in windows is enhanced for HNV gateway in Windows Server 2012 R2 with addition of  “VPNServer” scenario.  Netsh can be used to manage traces. This can be seen in the output of the command  “netsh trace show scenarios

Each scenario can have multiple providers that capture information and can be correlated across.  “Netsh trace show scenario VPNServer command shows all the providers that are  present in “VPNServer” scenario.

To start tracing of VPN server, the command "netsh trace start scenario=VPNServer" needs to be executed whose output is shown below.

After the required operations are performed, tracing can be stopped with the command "netsh trace stop" whose output is shown below.

Integration with Netmon and Message Analyzer

The resultant tracing information out of Unified Tracing can be viewed using tools like Netmon and Message Analyzer.

Following is the trace when a Site-to-Site (S2S) VPN connection is connected.

Following is the trace of ICMP packets exchanged between two machines

Following is the trace when an s2s connection is disconnected. 

Following is the trace when an s2s connection is disconnected.

In addition one can also use the inbuilt trace scenarios within Message Analyzer to capture the traces.

One can first select the live trace and select the VPN scenario which loads all the respective ETW providers. Following screenshot illustrates it.

On starting the live trace, it enables all the providers and starts capturing all the packets with all the providers.

The following screenshot shows the response we get from a ping command.

Tracing packets going through S2S information

In addition to tracing information, packet traces going through VPN interfaces can be captured using the bellow commands

  • netsh trace start provider=Microsoft-Windows-Ras-NdisWanPacketCapture

  • netsh trace stop

Netsh trace show providerFilterHelp Microsoft-Windows-Ras-NdisWanPacketCapture” shows different kind of filters that can be used.

Netsh trace show provider Microsoft-Windows-Ras-NdisWanPacketCapture” shows the keywords and levels possible on which filters can be set.

 

Filtering Traces

Tracing can also be enabled with filters. When the filters are applied, only the related packets show up in capture logs. With filters, tracing can be enabled only for a specified tenant or VPN connection.

The  following command enables packet capture of two tenants with RoutingDomain {11111111-1111-1111-1111-111111111001} and {11111111-1111-1111-1111-111111111002}

netsh trace start provider=Microsoft-Windows-Ras-NdisWanPacketCapture providerFilter=Yes RoutingDomain="({11111111-1111-1111-1111-111111111001},{11111111-1111-1111-1111-111111111002})"

To enable packet capture of a particular S2S VPN connection ifCe1, filter VPN.username needs to be specified as shown below

netsh trace start provider=Microsoft-Windows-Ras-NdisWanPacketCapture providerFilter=Yes VPN.UserName=IfCe1

Similarly for packet capture of a dial-in VPN user JoeContoso, username should be specified as shown below –

netsh trace start provider=Microsoft-Windows-Ras-NdisWanPacketCapture providerFilter=Yes VPN.UserName=JoeContoso

Capturing of packets needs to be stopped with command "netsh trace stop" and the resultant capture can be seen in tools such as Netmon and Message Analyzers as described above.