Merge pull request #227480 from halkazwini/nw-vpn-overview

Network Watcher: Freshness: Introduction to virtual network gateway troubleshooting in Azure Network Watcher

Author: Court72

articles/network-watcher/media/network-watcher-troubleshoot-overview/portal.png

@@ -1,22 +1,40 @@
 ---
-title: Introduction to VPN troubleshoot
+title: VPN troubleshoot overview
 titleSuffix: Azure Network Watcher
-description: This page provides an overview of Azure Network Watcher VPN troubleshoot capability.
+description: Learn about Azure Network Watcher VPN troubleshoot capability.
 services: network-watcher
 author: halkazwini
 ms.service: network-watcher
 ms.topic: conceptual
 ms.workload: infrastructure-services
-ms.date: 03/31/2022
+ms.date: 02/15/2023
 ms.author: halkazwini
-ms.custom: engagement-fy23
+ms.custom: template-concept, engagement-fy23
 ---
 
-# Introduction to virtual network gateway troubleshooting in Azure Network Watcher
+# VPN troubleshoot overview
 
-Virtual network gateways provide connectivity between on-premises resources and other virtual networks within Azure. Monitoring gateways and their connections are critical to ensuring communication is not broken. Network Watcher provides the capability to troubleshoot gateways and connections. The capability can be called through the portal, PowerShell, Azure CLI, or REST API. When called, Network Watcher diagnoses the health of the gateway, or connection, and returns the appropriate results. The request is a long running transaction. The results are returned once the diagnosis is complete.
+Virtual network gateways provide connectivity between on-premises resources and Azure Virtual Networks. Monitoring virtual network gateways and their connections are critical to ensure communication isn't broken. Azure Network Watcher provides the capability to troubleshoot virtual network gateways and their connections. The capability can be called through the Azure portal, Azure PowerShell, Azure CLI, or REST API. When called, Network Watcher diagnoses the health of the gateway, or connection, and returns the appropriate results. The request is a long running transaction. The results are returned once the diagnosis is complete.
 
-![Screenshot shows Network Watcher V P N Diagnostics.][2]
+:::image type="content" source="./media/network-watcher-troubleshoot-overview/vpn-troubleshoot-azure-portal.png" alt-text="Screenshot of Azure Network Watcher VPN troubleshoot in the Azure portal.":::
+
+## Supported Gateway types
+
+The following table lists which gateways and connections are supported with Network Watcher troubleshooting:
+
+| Gateway or connection | Supported  |
+|---------|---------|
+|**Gateway types**   |         |
+|VPN      | Supported        |
+|ExpressRoute | Not Supported |
+|**VPN types** | |
+|Route Based | Supported|
+|Policy Based | Not Supported|
+|**Connection types**||
+|IPSec| Supported|
+|VNet2VNet| Supported|
+|ExpressRoute| Not Supported|
+|VPNClient| Not Supported|
 
 ## Results
 
@@ -26,7 +44,7 @@ The following list is the values returned with the troubleshoot API:
 
 * **startTime** - This value is the time the troubleshoot API call started.
 * **endTime** - This value is the time when the troubleshooting ended.
-* **code** - This value is UnHealthy, if there is a single diagnosis failure.
+* **code** - This value is UnHealthy, if there's a single diagnosis failure.
 * **results** - Results is a collection of results returned on the Connection or the virtual network gateway.
     * **id** - This value is the fault type.
     * **summary** - This value is a summary of the fault.
@@ -36,70 +54,53 @@ The following list is the values returned with the troubleshoot API:
       * **actionUri** - This value provides the URI to documentation on how to act.
       * **actionUriText** - This value is a short description of the action text.
 
-The following tables show the different fault types (id under results from the preceding list) that are available and if the fault creates logs.
+The following tables show the different fault types (ID under results from the preceding list) that are available and if the fault creates logs.
 
 ### Gateway
 
 | Fault Type | Reason | Log|
 |---|---|---|
 | NoFault | When no error is detected |Yes|
-| GatewayNotFound | Cannot find gateway or gateway is not provisioned |No|
+| GatewayNotFound | Can't find gateway or gateway isn't provisioned |No|
 | PlannedMaintenance |  Gateway instance is under maintenance  |No|
 | UserDrivenUpdate | This fault occurs when a user update is in progress. The update could be a resize operation. | No |
 | VipUnResponsive | This fault occurs when the primary instance of the gateway can't be reached due to a health probe failure. | No |
-| PlatformInActive | There is an issue with the platform. | No|
-| ServiceNotRunning | The underlying service is not running. | No|
+| PlatformInActive | There's an issue with the platform. | No|
+| ServiceNotRunning | The underlying service isn't running. | No|
 | NoConnectionsFoundForGateway | No connections exist on the gateway. This fault is only a warning.| No|
-| ConnectionsNotConnected | Connections are not connected. This fault is only a warning.| Yes|
+| ConnectionsNotConnected | Connections aren't connected. This fault is only a warning.| Yes|
 | GatewayCPUUsageExceeded | The current gateway CPU usage is > 95%. | Yes |
 
 ### Connection
 
 | Fault Type | Reason | Log|
 |---|---|---|
 | NoFault | When no error is detected |Yes|
-| GatewayNotFound | Cannot find gateway or gateway is not provisioned |No|
+| GatewayNotFound | Can't find gateway or gateway isn't provisioned |No|
 | PlannedMaintenance | Gateway instance is under maintenance  |No|
 | UserDrivenUpdate | This fault occurs when a user update is in progress. The update could be a resize operation.  | No |
 | VipUnResponsive | This fault occurs when the primary instance of the gateway can't be reached due to a health probe failure. | No |
 | ConnectionEntityNotFound | Connection configuration is missing | No |
 | ConnectionIsMarkedDisconnected | The connection is marked "disconnected" |No|
-| ConnectionNotConfiguredOnGateway | The underlying service does not have the connection configured. | Yes |
+| ConnectionNotConfiguredOnGateway | The underlying service doesn't have the connection configured. | Yes |
 | ConnectionMarkedStandby | The underlying service is marked as standby.| Yes|
 | Authentication | Preshared key mismatch | Yes|
-| PeerReachability | The peer gateway is not reachable. | Yes|
-| IkePolicyMismatch | The peer gateway has IKE policies that are not supported by Azure. | Yes|
+| PeerReachability | The peer gateway isn't reachable. | Yes|
+| IkePolicyMismatch | The peer gateway has IKE policies that aren't supported by Azure. | Yes|
 | WfpParse Error | An error occurred parsing the WFP log. |Yes|
 
-## Supported Gateway types
-
-The following table lists which gateways and connections are supported with Network Watcher troubleshooting:
-
-| Gateway or connection | Supported  |
-|---------|---------|
-|**Gateway types**   |         |
-|VPN      | Supported        |
-|ExpressRoute | Not Supported |
-|**VPN types** | |
-|Route Based | Supported|
-|Policy Based | Not Supported|
-|**Connection types**||
-|IPSec| Supported|
-|VNet2Vnet| Supported|
-|ExpressRoute| Not Supported|
-|VPNClient| Not Supported|
 
 ## Log files
 
 The resource troubleshooting log files are stored in a storage account after resource troubleshooting is finished. The following image shows the example contents of a call that resulted in an error.
 
-![zip file][1]
+:::image type="content" source="./media/network-watcher-troubleshoot-overview/gateway-tenant-worker-logs-new.png" alt-text="Screenshot shows the content of the downloaded zipped log files.":::
 
 > [!NOTE]
 > 1. In some cases, only a subset of the logs files is written to storage.
-> 2. For newer Gateway versions, the IkeErrors.txt, Scrubbed-wfpdiag.txt and wfpdiag.txt.sum have been replaced by an IkeLogs.txt file that contains the whole IKE activity (not just errors).
+> 2. For newer gateway versions, the IkeErrors.txt, Scrubbed-wfpdiag.txt and wfpdiag.txt.sum have been replaced by an IkeLogs.txt file that contains the whole IKE activity (not just errors).
 
-For instructions on downloading files from Azure storage accounts, refer to [Get started with Azure Blob storage using .NET](../storage/blobs/storage-quickstart-blobs-dotnet.md). Another tool that can be used is Storage Explorer. More information about Storage Explorer can be found here at the following link: [Storage Explorer](https://storageexplorer.com/)
+For instructions on downloading files from Azure storage accounts, see [Download a block blob](../storage/blobs/storage-quickstart-blobs-portal.md#download-a-block-blob). Another tool that can be used is Storage Explorer. For information about Azure Storage Explorer, see [Use Azure Storage Explorer to download blobs](../storage/blobs/quickstart-storage-explorer.md#download-blobs)
 
 ### ConnectionStats.txt
 
@@ -158,7 +159,7 @@ Error: On-prem device sent invalid payload.
 
 The **Scrubbed-wfpdiag.txt** log file contains the wfp log. This log contains logging of packet drop and IKE/AuthIP failures.
 
-The following example shows the contents of the Scrubbed-wfpdiag.txt file. In this example, the shared key of a Connection was not correct as can be seen from the third line from the bottom. The following example is just a snippet of the entire log, as the log can be lengthy depending on the issue.
+The following example shows the contents of the Scrubbed-wfpdiag.txt file. In this example, the pre-shared key of a Connection wasn't correct as can be seen from the third line from the bottom. The following example is just a snippet of the entire log, as the log can be lengthy depending on the issue.
 
 ```
 ...
@@ -218,14 +219,9 @@ Elapsed Time            330 sec
 ```
 
 ## Considerations 
-* Only one troubleshoot operation can be run at a time per subscription. To run another troubleshoot operation, wait for the previous one to complete. Triggering more operations while a previous one hasn't completed will cause subsequent operations to fail. 
-* CLI Bug: If you are using Azure CLI to run the command, the VPN Gateway and the Storage account need to be in same resource group. Customers with the resources in different resource groups can use PowerShell or the Azure portal instead.  
-
+* Only one VPN troubleshoot operation can be run at a time per subscription. To run another VPN troubleshoot operation, wait for the previous one to complete. Triggering a new operation while a previous one hasn't completed causes the subsequent operations to fail. 
+* CLI Bug: If you're using Azure CLI to run the command, the VPN Gateway and the Storage account need to be in same resource group. Customers with the resources in different resource groups can use PowerShell or the Azure portal instead.  
 
 ## Next steps
 
-To learn how to diagnose a problem with a gateway or gateway connection, see [Diagnose communication problems between networks](diagnose-communication-problem-between-networks.md).
-<!--Image references-->
-
-[1]: ./media/network-watcher-troubleshoot-overview/gateway-tenant-worker-logs-new.png
-[2]: ./media/network-watcher-troubleshoot-overview/portal.png
+To learn how to diagnose a problem with a virtual network gateway or gateway connection, see [Diagnose communication problems between networks](diagnose-communication-problem-between-networks.md).