locked
ASDK - nslookup for local names work but external names fail RRS feed

  • Question

  • nslookup for adminportal.local.azurestack.external and portal.local.azurestack.external works but nslookup for any outside names don't work and login onto adminportal fails and ends up at https://adminportal.local.azurestack.external/Error/UE_IDP?shown=true

    with a message 'sign-in failed  try again'.  I think our ASDK DNS forward lookup for external is failing somehow.  any insight and feedback would be appreciated.  thanks.

    Tuesday, May 8, 2018 1:26 PM

Answers

  • Hello,

    BGPNAT can exhibit behavior can be if:

    1) The IP address assigned to AzS-BGPNAT01 is on a different subnet than the Host IP address

    Or

    2).The NETNAT External IP is different than IP address assigned to AzS-BGPNAT01

         

    To validate the Host IP and IP assigned to AzS-BGPNAT01 run the follow powershell and compare the Output.

      

    # Step 1 - Validate IP subnet & default gateway on HOST & BGPNAT

    ipconfig /all

    Invoke-command -computer AzS-BGPNAT01 -Scriptblock {ipconfig /all}

    NOTE: The IP Addresses should both be on the same subnet and use the same default gateway

      

    If the IP's are on the same subnet & default gateway, move on to step 3.

      

    If not, you'll need to update the IP config on BGPNAT step  2

    In the example below, I'm setting the BGPNAT IP = 10.0.0.15

    Default gateway= 10.0.0.1

    DNS= 192.168.200.224(Azs-DC01) & 8.8.8.8(Google)

      

    # Step 2 - Update IP settings on AzS-BGPNAT01

    New-PSSession -ComputerName AzS-BGPNAT01 -Credential $Credential

    Enter-PSSession – ComputerName AzS-BGPNAT01

    $wmi = Get-WmiObject win32_networkadapterconfiguration -filter "ipenabled = 'true'"

    $wmi.EnableStatic("10.0.0.15", "255.255.255.0")

    $wmi.SetGateways("10.0.0.1", 1)

    $DNS ="192.168.200.224","8.8.8.8"

    $wmi.SetDNSServerSearchOrder($DNS)

       

    The validate the NETNAT External IP, run the following commands and compare the IP addresses in the output.

     

    # Step 3 - Validate BGPNAT & NETNAT External IP

    Invoke-command -computer AzS-BGPNAT01 -Scriptblock {ipconfig}

    Invoke-command -computer AzS-BGPNAT01 -Scriptblock {Get-NetNatExternalAddress}

        

    The IP addresses listed in the output should match. If they are different, you'll need to update the NAT configuration.  Steps 4 & 5

      

    To remove the incorrect NAT IP address from AzS-BGPNAT01 run the following command:

    # Step 4   Remove the incorrect NETNAT External IP

    Invoke-command -computer AzS-BGPNAT01 -Scriptblock {Remove-NetNatExternalAddress -IPAddress 10.0.0.12}

     

    To assign the new NAT IP address to AzS -BGPNAT01 run teh following command:

    # Step 5  Assign new NETNAT External IP

    Invoke-command -computer AzS-BGPNAT01 -Scriptblock {Add-NetNatExternalAddress -IPAddress 10.0.0.15 -PortStart 5000 -PortEnd 49151}

    NOTE: In this example, the IP was 10.0.0.12 and needs to be updated to 10.0.0.15

      

    If the forwarders were not setup for some reason, you can run the script below to add Forwarders to the DNS server AzS-DC01.

      

    ### Add DNS Forwarder to AzS-DC01

    Add-DnsServerForwarder -IPAddress 8.8.8.8 -PassThru

    Get-DnsServerForwarder

     

      

    At this point, you should be able to ping port 443 on Login.windows.net from the Host and Azs-DC01

    tnc login.windows.net -port 443

     

    Let us know how it goes,

                              

    We apologize for any inconvenience and appreciate your time and interest in Azure Stack.

    If you experience any issues with Azure Stack or the current ASDK release, please feel free to contact us.

                

     Thanks


    Gary Gallanes

    Thursday, May 24, 2018 12:35 AM

All replies

  • Hello,

    Can you run the following PowerShell to validate your DNS settings?

     

    ### Get IPConfig & DNS Forwarder from Host and AzS-DC01

    ipconfig/all

    New-PSSession -ComputerName AzS-DC01

    Enter-PSSession –ComputerName AzS-DC01

    ipconfig /all

    Get-DnsServerForwarder

        

    The ASDK Host and Infra VMs uses AzS-DC01 as the DNS server. The deployment automatically adds the existing DNS server(s)  as forwarders and resets the Host DNS to AzS-DC01/ 192.168.200.224.

    If the forwarders were not setup for some reason, you can run the script below to add Forwarders to the DNS server AzS-DC01.

      

    ### Add DNS Forwarder to AzS-DC01

    New-PSSession -ComputerName AzS-DC01 -Credential $Credential

    Enter-PSSession –ComputerName AzS-DC01

    Add-DnsServerForwarder -IPAddress 172.23.90.124 -PassThru

         

    Run the following to validate your DNS settings and connection to Azure AD.

    tnc login.windows.net -port 443

     

    Example output of successful test.

    tnc login.windows.net -port 443

    ComputerName     : login.windows.net

    RemoteAddress    : 23.100.32.136

    RemotePort       : 443

    InterfaceAlias   : Deployment

    SourceAddress    : 10.184.224.11

         

    Let us know how it goes,

       

    We apologize for any inconvenience and appreciate your time and interest in Azure Stack.

    If you experience any issues with Azure Stack or the current ASDK release, please feel free to contact us.

                

     Thanks


    Gary Gallanes

    Tuesday, May 8, 2018 6:23 PM
  • DNS forwarder is already defined.


    [AzS-DC01]: PS C:\Users\AzureStackAdmin\Documents> Get-DnsServerForwarder

    UseRootHint        : True
    Timeout(s)         : 3
    EnableReordering   : True
    IPAddress          : {10.xxx.xxx.xxx, fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}
    ReorderedIPAddress : {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3, 10.xxx.xxx.xxx}

    tnc test from AzS-DC01 fails with the following.

    [AzS-DC01]: PS C:\Users\AzureStackAdmin\Documents> tnc login.windows.net -port 443
    WARNING: Name resolution of login.windows.net failed -- Status: This is usually a temporary error during hostname resolution
    and means that the local server did not receive a response from an authoritative server

    ComputerName   : login.windows.net
    RemoteAddress  :
    InterfaceAlias :
    SourceAddress  :
    PingSucceeded  : False

    it seems route to external is broken. anything else I can look at?  

    Tuesday, May 8, 2018 6:35 PM
  • From AzS-DC01 session, ping IP_of_dns_forwarder fails. tracert times out from 192.168.200.1. 

    I think something is broken on BGPNAT for routing outside.

    Tuesday, May 8, 2018 7:10 PM
  • Hello,

    BGPNAT can exhibit behavior can be if:

    1) The IP address assigned to AzS-BGPNAT01 is on a different subnet than the Host IP address

    Or

    2).The NETNAT External IP is different than IP address assigned to AzS-BGPNAT01

         

    To validate the Host IP and IP assigned to AzS-BGPNAT01 run the follow powershell and compare the Output.

      

    # Step 1 - Validate IP subnet & default gateway on HOST & BGPNAT

    ipconfig /all

    Invoke-command -computer AzS-BGPNAT01 -Scriptblock {ipconfig /all}

    NOTE: The IP Addresses should both be on the same subnet and use the same default gateway

      

    If the IP's are on the same subnet & default gateway, move on to step 3.

      

    If not, you'll need to update the IP config on BGPNAT step  2

    In the example below, I'm setting the BGPNAT IP = 10.0.0.15

    Default gateway= 10.0.0.1

    DNS= 192.168.200.224(Azs-DC01) & 8.8.8.8(Google)

      

    # Step 2 - Update IP settings on AzS-BGPNAT01

    New-PSSession -ComputerName AzS-BGPNAT01 -Credential $Credential

    Enter-PSSession – ComputerName AzS-BGPNAT01

    $wmi = Get-WmiObject win32_networkadapterconfiguration -filter "ipenabled = 'true'"

    $wmi.EnableStatic("10.0.0.15", "255.255.255.0")

    $wmi.SetGateways("10.0.0.1", 1)

    $DNS ="192.168.200.224","8.8.8.8"

    $wmi.SetDNSServerSearchOrder($DNS)

       

    The validate the NETNAT External IP, run the following commands and compare the IP addresses in the output.

     

    # Step 3 - Validate BGPNAT & NETNAT External IP

    Invoke-command -computer AzS-BGPNAT01 -Scriptblock {ipconfig}

    Invoke-command -computer AzS-BGPNAT01 -Scriptblock {Get-NetNatExternalAddress}

        

    The IP addresses listed in the output should match. If they are different, you'll need to update the NAT configuration.  Steps 4 & 5

      

    To remove the incorrect NAT IP address from AzS-BGPNAT01 run the following command:

    # Step 4   Remove the incorrect NETNAT External IP

    Invoke-command -computer AzS-BGPNAT01 -Scriptblock {Remove-NetNatExternalAddress -IPAddress 10.0.0.12}

     

    To assign the new NAT IP address to AzS -BGPNAT01 run teh following command:

    # Step 5  Assign new NETNAT External IP

    Invoke-command -computer AzS-BGPNAT01 -Scriptblock {Add-NetNatExternalAddress -IPAddress 10.0.0.15 -PortStart 5000 -PortEnd 49151}

    NOTE: In this example, the IP was 10.0.0.12 and needs to be updated to 10.0.0.15

      

    If the forwarders were not setup for some reason, you can run the script below to add Forwarders to the DNS server AzS-DC01.

      

    ### Add DNS Forwarder to AzS-DC01

    Add-DnsServerForwarder -IPAddress 8.8.8.8 -PassThru

    Get-DnsServerForwarder

     

      

    At this point, you should be able to ping port 443 on Login.windows.net from the Host and Azs-DC01

    tnc login.windows.net -port 443

     

    Let us know how it goes,

                              

    We apologize for any inconvenience and appreciate your time and interest in Azure Stack.

    If you experience any issues with Azure Stack or the current ASDK release, please feel free to contact us.

                

     Thanks


    Gary Gallanes

    Thursday, May 24, 2018 12:35 AM