你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn

Troubleshoot Azure Arc-enabled servers networking issues

This article provides information for troubleshooting networking issues that might occur with Arc-enabled servers.

When troubleshooting connectivity issues, be sure that your environment meets all of the Azure Arc-enabled servers networking requirements.

Windows TLS configuration issues

Starting from version 1.56 of the Connected Machine agent (Windows only), if the agent fails to reach Azure endpoints even after the endpoints are allowed in the environment, ensure the following cipher suites are enabled for at least one of the recommended TLS versions:

  • TLS 1.3 (suites in server-preferred order):
    • TLS_AES_256_GCM_SHA384 (0x1302) ECDH secp521r1 (eq. 15360 bits RSA) FS
    • TLS_AES_128_GCM_SHA256 (0x1301) ECDH secp256r1 (eq. 3072 bits RSA) FS
  • TLS 1.2 (suites in server-preferred order)
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp521r1 (eq. 15360 bits RSA) FS
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS

You can check the cipher suites on a machine with the following PowerShell command:

Get-TlsCipherSuite | Format-List Name

To enable cipher suites, you can use one of the following methods:

Enable cipher suites with Group Policy

  1. Open the SSL Cipher Suite Order window.
  2. Edit the Cipher Suites box (comma-separated list) to include the minimum required cipher suites.

Enable cipher suites with PowerShell (no reboot required)

For TLS 1.3:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"

For TLS 1.2:

Enable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

Enable cipher suites with manual registry edit

  1. Navigate to the registry key: HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002.
  2. Edit the 'Functions' REG_MULTI_SZ value to add the required cipher suites to the list (with each cipher suite on its own line).
  3. Reboot the machine for changes to take effect.

Next steps

If you don't see your problem here or you can't resolve your issue, try one of the following channels for support: