Assesment timed out

[spaelling]

Assesment is timing out on 5 different servers.

I was using version 0.0.7 yesterday which was able to assess most of the sites. I installed v. 1.0 today and just about every site is timing out in the assessment.

Is there any logs I can look into?

Investigative information

Please provide the following:

• UTC Timestamp:
• Migration Tool App version : 1.0
• OS Version: 2008 R2, 2012 R2

Repro steps

Asses any site

Expected behavior

The assessment completes at some point

Actual behavior

The assessment never completes and eventually times out

Known workarounds

N/A

[krolson]

This looks like it may still be the same issue as you were running into with 0.0.7 (#16) due to a failure to make outbound requests - just that it fails earlier in the 1.0.0 implementation during assessment. In 1.0.0 the assessment is completed by evaluating the anonymized site configuration making a request to our assessment API (readinessapi.trafficmanager.net). Also the fact that the icons are not showing up is another indicator that there are network rules blocking app requests, since the app uses outbound requests for the Microsoft React Fabric UI icons (apologies: I forgot to mention this as one of the outbound connections yesterday since it's more of a cosmetic and not functional item).

I was able to exactly duplicate the behavior you're seeing by setting the default outbound behavior on a server to block. Then I was able to get it working after allowing specifically outbound TCP connections to the appservicemigrationassistant.exe for port 443 and ip 40.117.188.126 (what you get when you resolve the readinessapi.trafficmanager.net endpoint). This would be sufficient for running assessments with the 1.0.0 tool, but additional outbound targets would also have to be allowed for logging in and doing the migration, since these access other endpoints like login.microsoftonline.com, management.azure.com, and the new azure site after it's created (to publish the content). The latter item specifically could make it difficult to whitelist the specific IPs, since you won't know the target site IP until after the site is created, and the content publish step happens automatically after site creation.

You could try checking the Windows Firewall Outbound connection settings locally and adding an allow rule for the AppServiceMigrationAssistant.exe to make outbound connections (check the desktop shortcut for the path to the .exe), however since you're running into this on multiple machines I wonder if this is a larger group policy that might not allow you to make an effective firewall change on the specific machine to allow the traffic out. You might be able to see if this is a generic block on outbound traffic by trying to browse the https://readinessapi.trafficmanager.net from the server - this being blocked would be another good indicator of network settings block and a quick test - unfortunately the reverse of it working doesn't assure the app should work since it might be explicitly allowed depending on the way the firewall rules are set up.

The application does not store any logs locally, they are transient and either logged to the logging endpoint or forgotten. If network traffic can't get out, the logging won't get out, and unfortunately I don't see any logs related to the session id you posted above having made it to the logging endpoint.

[spaelling]

I can confirm using Wireshark that there is no reply to the outbound requests. I have yet to determine what is blocking these, but that is my problem. At least we now know why it does not work.

Is there any plans for local logging? I find it problematic that this is somewhat a blackbox. There should be a debug switch that either outputs logs to a file, or perhaps if starting from a shell output to that. Some output may not make sense to someone like me, but I may have caught earlier that it fails making the outbound connection.

[spaelling]

I found that an external firewall is blocking the traffic. Would it be possible to get a full list of outbound connections necessary for the tool to work, both assessment and migration?

readinessapi.trafficmanager.net
login.microsoftonline.com
management.azure.com

It also seems to be making a connection to 13.69.66.140 - any idea what this is? I am getting nothing from a reverse dns lookup.

The sites will be moved to an app service environment. Any additional outbound requests required for this? The connection to the ASE will be on the express route, so that should not be an issue in the firewall.

[krolson]

For local logging I believe you should be able to see console logged versions of what would be sent to the telemetry endpoint by starting from an administrator cmd prompt, like below. Unfortunately some cases, like this one with blocked outbound connections, doesn't have appropriate error handling so even the logging messages are not that useful.

C:\Users\krolson\AppData\Local\Programs\azure-appService-migrationAssistant>AppServiceMigrationAssistant.exe

C:\Users\krolson\AppData\Local\Programs\azure-appService-migrationAssistant>
AppInsights logging INITIALIZED
LOG: Getting Started page action Selected site for assessment {}
LOG: Getting Started page view Getting Started page {"link":"/"}
LOG: Getting Started page action Clicked Next {"link":"/migrationreport"}
LOG: Getting Started page info Server Version {"message":"IIS_10_Newer"}
[…]

These are the endpoints the tool is using:

• readinessapi.trafficmanager.net
• login.microsoftonline.com
• management.azure.com
• Your target site scm endpoint - format of: [CreatedAzureSiteName].scm.[azurewebsites.net|ASE dnsSuffix] (for publishing site content)
• (Optionally) appmigration.microsoft.com (checks if newer versions available)
• (Optionally) graph.microsoft.com (to show friendly tenant names if changing tenants)
• (Optionally) dc.services.visualstudio.com (for optional anonymized logging to Azure App Insights. I believe this is the Azure App Insights endpoint and possibly what the 13.69.[…] IP you are finding above - https://github.com/Microsoft/ApplicationInsights-Home/blob/master/EndpointSpecs/ENDPOINT-PROTOCOL.md)
• (Optionally) Azure Migration endpoints if updating Azure Migrate Project status (as I understand this is not a single hardcoded endpoint, so could be difficult to whitelist in advance - but if you need to sync with an Azure Migrate project let me know and I can have the dev on this feature chime in, too)
• (Optionally) static2.sharepointonline.com, spoprod-a.akamaihd.net/files/fabric/assets/icons/[...] (Office UI Fabric element items, like icons)

[spaelling]

Is the logging part new in 1.0 - I tried starting it in a console, but maybe I was looking for a verbose switch, and never actually ran any assessment. But nice to know it is there.

I guess I have what I need to make an RFC. Cheers.

I think we have found lots of good stuff worth documenting. I hope it helps out others who encounter some of the same issue.

And thanks for the prompt and elaborate replies.

[krolson]

Thank you for bringing this up. We have the bug open to fix the error message for this case and I have added notes on above outbound connection information in a possibly more discoverable place, here: https://github.com/Azure/App-Service-Migration-Assistant/wiki/How-the-Assistant-Works#outbound-connections