In this post, I will explain how to solve the situation when an Azure Image Builder job fails with the following errors:
[ERROR] connection error: unknown error Post “https://10.1.10.9:5986/wsman”: proxyconnect tcp: dial tcp 10.0.1.4:60000: i/o timeout
[ERROR] WinRM connection err: unknown error Post “https://10.1.10.9:5986/wsman”: proxyconnect tcp: dial tcp 10.0.1.4:60000: i/o timeout
[ERROR]connection error: unknown error Post “https://10.1.10.8:5986/wsman”: context deadline exceeded
[ERROR] WinRM connection err: unknown error Post “https://10.1.10.8:5986/wsman”: context deadline exceeded
Note that the second error will probably be the following if you are building a Linux VM:
[ERROR]connection error: unknown error Post “https://10.1.10.8:22/ssh”: context deadline exceeded
[ERROR] SSH connection err: unknown error Post “https://10.1.10.8:22/ssh”: context deadline exceeded
The Scenario
I’m using Azure Image Builder to prepare a reusable image for Azure Virtual Desktop with some legacy software packages from external vendors. Things like re-packaging (MSIX) will be a total support no-no, so the software must be pre-installed into the image.
I need a secure solution:
- The virtual machine should not be reachable on the Internet.Software packages will be shared from a storage account with a private endpoint for the blob service.
This scenario requires that I prepare a virtual network and customise the Image Template to use an existing subnet ID. That’s all good. I even looked at the PowerShell example from Microsoft which told me to allow TCP 60000-60001 from Azure Load Balancer to Virtual Network:
I also added my customary DenyAll rule at priority 4000 – the built in Deny rule doesn’t deny all that much!
I did that … and the job failed, initially with the first of the errors above, related to TCP 60000. Weird!
Troubleshooting Time
Having migrated countless legacy applications with missing networking documentation into micro-segmented Azure networks, I knew what my next steps were:
- Deploy Log Analytics and a Storage Account for logsEnable VNet Flow Logs with Traffic Analytics on the staging subnet (where the build is happening) NSGRecreate the problem (do a new build)Check the NTANetAnalytics table in Log Analytics
And that’s what I did. Immediately I found that there were comms problems between the Private Endpoint (Azure Container Instance) and the proxy VM. TCP 60000 was attempted and denied because the source was not the Azure Load Balancer.
I added a rule to solve the first issue:
I re-ran the test (yes, this is painfully slow) and the job failed.
This time the logs showed failures from the proxy VM to the staging (build) VM on TCP 5986. If you’re building a Linux VM then this will be TCP 22.
I added a third rule:
Now when I test I see the status switch from Running, to Distributing, to Success.
Root Cause?
Adding my DenyAll rule caused the scenario to vary from the Microsoft docs. The built-in AllowVnetInBound rule is too open because it allows all sources in a routed “network”, including other networks in a hub & spoke. So I micro-segment using a low priority DenyAll rule.
The default AllowVnetInBound rule would have allowed the container>proxy and proxy>VM traffic, but I had overridden it. So I need to create rules to allow that traffic.
The post Azure Image Builder Job Fails With TCP 60000, 5986 or 22 Errors first appeared on Aidan Finn, IT Pro.