Free Trial *Internet Service Required
0 out of 1 rated this helpful - Rate this topic

Troubleshooting Windows Azure Connect

Updated: November 22, 2010

[This topic contains preliminary content for the CTP release of Windows Azure Connect. To begin using the feature, go to the Virtual Network tab located in the Windows Azure Management Portal.]

Select the issue you want to troubleshoot:

The Windows Azure Connect diagnostic tool checks the status of Windows Azure Connect components and returns either Success, if the component is correctly configured and working correctly, or a status message specifying an error.

  1. In the system tray, click the Connect Endpoint tray icon,

    System tray with Connect icon

  2. On the menu click Diagnostics. This will open the Windows Azure Connect diagnostic tool.

Windows Azure Connect diagnostic pop up

The table below shows the error strings returned by the diagnostic tool and the action to be taken to correct the error:

 

Diagnostics Check Status Message Action

Entitlement Check

This endpoint is not activated.

If not activated, make sure the activation token is correct, and that the computer has an internet connection.

For an on-premise computer make the sure install link is correct. On the Windows Azure computer check that the token in in the CSFG file is the same as what is displayed in the Windows Azure Platform Management Portal.

noteNote
If successful, this check is not shown.

Policy check

There is no connectivity policy on this machine.

Verify that your computer has an active internet connection.

Software update check

The Software update service is not running. Please start it.

The Windows Update service is not running, use the Services Snap-in to start the service. For more information, see Services Snap-in.

Internet connectivity

Connect Service failed to connect to the internet, please ensure that the proxy settings for the local system account are correct.

For more information see On a local computer or VM, the endpoint software was installed, but the endpoint software displays “Status: Not Activated.”

Remote Access Manager service check

The Remote Access Manager service is not running. Please start it.

The Remote Access Manager service is not running, use the Services Snap-in to start the service. For more information, see Services Snap-in.

IKE and AuthIP IPsec Keying Module service check

The IKE and AuthIP IPsec Keying Module service is not running. Please start it.

The IKE and AuthIP IPsec Keying service is not running, use the Services Snap-in to start the service. For more information, see Services Snap-in.

IPv6 enabled

IPv6 is disabled on your machine, please enable IPv6, see steps at http://support.microsoft.com/kb/929852.

Enable IPv6 on your computer, for more information see http://support.microsoft.com/kb/929852.

IPsec certificate check

An IPsec certificate is invalid at the moment, Connect will try to update the certificate, please ensure that the machine is connected to the internet.

Or

No IpSec certificate was found. Please ensure that this machine is configured for connectivity.

Verify that your computer has an active internet connection.

RAS credentials check

No valid certificate was found that could be used to connect to RAS server. Please ensure machine has been activated.

For an on-premise computer make the sure install link is correct. On the Windows Azure computer check that the token in in the CSFG file is the same as what is displayed in the Windows Azure Platform Management Portal.

 

Cause: The role was activated very recently, and the deployment process has not completed, so the role is not yet listed in Windows Azure Connect.

Solution: View the role in Windows Azure (not Windows Azure Connect) to monitor the state that the role is in. After it enters the Ready state, check to see if it appears in the Windows Azure Connect interface.

Cause: In the configuration file (*.cscfg file) for the Windows Azure role, the line that specifies the activation token is missing, uses incorrect syntax, or does not correctly specify the token that is current for that subscription.

Solution: Confirm that the configuration for the role specifies the activation token correctly (working with a developer if needed). To view the current token for the subscription, in Windows Azure Connect, click the subscription, click Get Activation Token, click Copy Token to Clipboard, and paste the token into a text editor. To check the syntax of the line that specifies the token in the configuration, compare it to the following syntax:

<Setting name="Microsoft.WindowsAzure.Plugins.Connect.ActivationToken" value=" tokenstring " />

For more information, see How to Activate Windows Azure Roles for Windows Azure Connect.

 

Cause: The local computer or VM does not currently have a connection to the Internet, or does not have the correct proxy settings to allow a connection to the Internet.

Solution: Use your Internet browser to see whether the computer can connect to the Internet. If not, review and correct any issues with network, firewall, and proxy settings. Note that the endpoint software for Windows Azure Connect runs in the Local System account, and therefore is affected by the proxy settings for that account.

For more information about firewall settings, see Overview of Firewall Settings Related to Windows Azure Connect.

Cause: There was a problem with the installation of the endpoint software or with the activation token that was part of the installation. For example, after the link for installing the software was pasted into a browser, in the resulting dialog box, the installation software might have been saved rather than being run directly from the dialog box. For another example, after the endpoint software was installed, the Reset Activation Token button might have been clicked.

Solution: Uninstall and reinstall the endpoint software. (Be sure to select the intended subscription before you click Install Local Endpoint.) For more information, see How to Install Local Endpoints with Windows Azure Connect.

 

Cause: You have more than one subscription in Windows Azure, and the endpoint software was installed on a particular computer or VM with the activation token for a different subscription than the one you intended. If this is the case, the local computer or VM will be listed under the Activated Endpoints for a different subscription than you expect.

Solution: Uninstall the endpoint software. Then reinstall the software, being sure to select the intended subscription before you click Install Local Endpoint. For more information, see How to Install Local Endpoints with Windows Azure Connect.

Additional causes and solutions: See the previous section, On a local computer or VM, the endpoint software was installed, but the endpoint software displays “Status: Not Activated.”

 

Cause: The endpoint has already been added to a different group.

Solution: In the Windows Azure interface, in the console tree, under the relevant subscription, click Activated Endpoints, and in the center pane, click the endpoint you want to add to an endpoint group. On the right, under Group, find the name of the group that the endpoint has been added to. If you want the endpoint to be assigned to a different group, click Move to Group, and select the appropriate group.

Additional causes and solutions: There could be a problem with the endpoint itself, as described in the two previous sections:

 

Cause: The configuration in Windows Azure Connect is incomplete or incorrect in some way.

Solution: View the elements of the configuration (activated role or roles, local endpoint or endpoints, and endpoint group) in the Windows Azure Connect interface. Use Checklist for Configuring Connections for Windows Azure Roles to confirm that the configuration is complete and as intended.

Cause: Changes have been made in the configuration, but some changes, for example DNS changes, have not propagated completely.

Solution: Allow time for DNS changes or other changes to propagate. Also, in the Windows Azure Connect interface, click Refresh Role Information.

Cause: The configuration of the network, firewall, or other features that support connectivity (outside of Windows Azure Connect itself) is not correct.

Solution: Use network diagnostic tools in the following sequence to identify the aspect of the configuration that needs to be corrected:

  • Windows Azure Connect interface: View the properties of the activated role and the local endpoint, which should each have a Secure Socket Tunneling Protocol (SSTP) address assigned by Windows Azure Connect.

  • Ipconfig: Use ipconfig or a similar tool to confirm that the local endpoint has a IPv6 address assigned by Windows Azure Connect. This is an address that begins with 2a01:111:3f00.

  • Ping: See if ping can send packets between an activated role instance and a local endpoint, when each is identified with a fully-qualified domain name (FQDN) or with a short name. If packets can be sent, observe the IP address that is being used, and compare it with the address seen through the Windows Azure Connect interface. If you see name resolution problems, work with your DNS configuration.

    If ping fails, make sure that the firewall is not blocking Internet Control Message Protocol version 6 (ICMPv6) by running the following command and then trying ping again:

    netsh advfirewall firewall add rule name="ICMPv6" dir=in action=allow enable=yes protocol=icmpv6

    For more information about firewall settings, see Overview of Firewall Settings Related to Windows Azure Connect.

  • Remote Desktop Connection (RDC) client: See if you can use the RDC client to create a connection between a local endpoint and an activated role (in either direction). Try both the FQDN and the short name of a system when you connect. For more information about configuring a remote desktop connection for a role, see Overview of Setting Up a Remote Desktop Connection for a Role.

  • Application connectivity between local computers: See if an application on the local endpoint can connect to another local computer (not a Windows Azure role instance). Check for both IPv4 and IPv6 connectivity.

    For example, if you are running SQL Server on the local endpoint, see whether a connection can be established between SQL Server and another local computer, using IPv4 and then IPv6. If not, correct the local connectivity issue (for example, a firewall issue) and see if it corrects the issue for Windows Azure Connect.

    For more information about firewall settings, see Overview of Firewall Settings Related to Windows Azure Connect.

  • Certificates snap-in on the local computer: On a local endpoint (a computer or VM with the local endpoint software), ensure that the Certificates snap-in has been added to a Microsoft Management Console (MMC). Then use the snap-in to see if one or more certificates for Windows Azure Connect are in the local store, and to confirm that the certificates are using a valid certification hierarchy. If the certificates are in the local store, it indicates that the endpoint software was able to download them.

    For information about the Certificates snap-in and certificates stores, see the following topics:

 

Cause: The Windows Azure role cannot connect to any local endpoint (that is, a computer or VM, located in your local network, with the endpoint software installed).

Solution: See Although a Windows Azure role, local endpoints, and an endpoint group are configured in Windows Azure Connect, the connection cannot be established.

Cause: The local domain controller on which the endpoint software is installed is not a DNS server.

Solution: Configure the local domain controller so that it is also a DNS server (this is required for a configuration where a Windows Azure role is joined to the domain).

Cause: In the configuration file (*.cscfg file) for the Windows Azure role, the lines that provide necessary information for joining the role to the domain are missing, are incorrect, or use incorrect syntax.

Solution: See Overview of Windows Azure Connect When Roles Are Joined to a Domain, and based on that topic, review each of the domain-related settings in the configuration file. Also confirm that in the configuration file (*.cscfg file) for the Windows Azure role, the user specified for DomainAccountName has permission to add a computer object (computer account) to the domain. If the configuration includes the optional line that specifies DomainOU, confirm that the user specified for the DomainAccountName has permission to add a computer object to that specific OU.

You can perform further analysis of the configuration file by connecting to the role through the Remote Desktop Connection (RDC) client and examining a log file. The path for the log file is as follows:

%ProgramFiles%\Windows Azure Connect\Endpoint\Logs\Integrator.log

You might find the following error codes in the log:

  • Error code 1355: The domain controller cannot be reached.

  • Error code 1003: The user specified for DomainAccountName does not have permissions to join a computer object to the domain.

  • Error code 1326: The logon failed. The password might be incorrect (for example, if it was changed recently), or the password might not have been encrypted correctly.

 

Cause: The Reset Activation Token button was clicked by mistake, and either of the following is true:

  • Roles had previously been activated for that subscription.

  • Local endpoint software had previously been installed for that subscription.

Solution: Update the activation token for all resources associated with that subscription:

Did you find this helpful?
(1500 characters remaining)
Community Additions ADD
facebook page visit twitter rss feed newsletter