排查网络虚拟设备问题Troubleshoot network virtual appliance problems

在 Azure Stack Hub 中使用网络虚拟设备 (NVA) 的虚拟机或 VPN 可能会出现连接问题。You might experience connectivity problems with virtual machines or VPNs that use a network virtual appliance (NVA) in Azure Stack Hub.

本文介绍如何通过相关步骤来验证针对 NVA 配置的 Azure Stack Hub 基本平台要求。This article shows steps to help you validate basic platform requirements of Azure Stack Hub for NVA configurations.

NVA 的供应商为 NVA 及其与 Azure Stack Hub 平台的集成提供技术支持。An NVA's vendor provides technical support for the NVA and its integration with the Azure Stack Hub platform.

备注

如果遇到涉及 NVA 的连接或路由问题,则应直接联系 NVA 供应商If you have a connectivity or routing problem that involves an NVA, you should contact the NVA vendor directly.

如果本文未解决你在 Azure Stack Hub 中遇到的 NVA 问题,请创建 Azure Stack Hub 支持票证If this article doesn't address your NVA problem with Azure Stack Hub, create an Azure Stack Hub support ticket.

与 NVA 供应商合作进行故障排除时的清单Checklist for troubleshooting with an NVA vendor

  • NVA VM 软件的更新。Updates for NVA VM software.
  • 服务帐户设置和功能。Service account setup and functionality.
  • 虚拟网络子网上用户定义的路由 (UDR),用于将流量定向到 NVA。User-defined routes (UDRs) on virtual network subnets that direct traffic to the NVA.
  • 虚拟网络子网上的 UDR,用于定向来自 NVA 的流量。UDRs on virtual network subnets that direct traffic from the NVA.
  • NVA 内的路由表和规则(例如,从 NIC1 到 NIC2)。Routing tables and rules within the NVA (for example, from NIC1 to NIC2).
  • 在 NVA NIC 上进行跟踪以验证网络流量的接收和发送。Tracing on NVA NICs to verify receiving and sending network traffic.

基本故障排除步骤Basic troubleshooting steps

  1. 检查基本配置。Check the basic configuration.
  2. 检查 NVA 性能。Check NVA performance.
  3. 进行高级网络故障排除。Do advanced network troubleshooting.

检查 Azure 上 NVA 的最低配置要求Check the minimum configuration requirements for NVAs on Azure

每个 NVA 都必须满足基本配置要求才能在 Azure Stack Hub 上正常运行。Each NVA must meet basic configuration requirements to function correctly on Azure Stack Hub. 此部分展示了验证这些基本配置的步骤。This section shows the steps to verify these basic configurations. 有关详细信息,请联系 NVA 供应商For more information, contact the NVA vendor.

重要

当数据包使用 S2S 隧道时,它们会与其他标头一起进一步进行封装。When packets use an S2S tunnel, they're further encapsulated with additional headers. 此封装会增加每个数据包的总大小。This encapsulation increases the overall size of each packet.

在这种情况下,必须将 TCP MSS 固定在 1,350 字节。In this scenario, you must clamp TCP MSS at 1,350 bytes. 如果 VPN 设备不支持 MSS 钳位,则可以改为将隧道接口上的 MTU 设置为 1,400 字节。If your VPN devices don't support MSS clamping, you can set the MTU on the tunnel interface to 1,400 bytes instead.

有关详细信息,请参阅虚拟网络 TCP/IP 性能优化For more information, see Virtual network TCP/IP performance tuning.

检查是否在 NVA 上启用了 IP 转发Check whether IP forwarding is enabled on the NVA

使用 Azure Stack Hub 门户Use the Azure Stack Hub portal

  1. 在 Azure Stack Hub 门户中找到 NVA 资源,选择“网络”,然后选择网络接口。****Locate the NVA resource in the Azure Stack Hub portal, select Networking, and then select the network interface.
  2. 在“网络接口”页上,选择“IP 配置”。**** ****On the Network interface page, select IP configuration.
  3. 确保已启用 IP 转发。Make sure that IP forwarding is enabled.

使用 PowerShellUse PowerShell

  1. 运行以下命令。Run the following command. 将尖括号中的值替换为你的信息。Replace the values in angle brackets with your information.

    Get-AzureRMNetworkInterface -ResourceGroupName <ResourceGroupName> -Name <NIC name>
    
  2. 检查“EnableIPForwarding”属性****。Check the EnableIPForwarding property.

  3. 如果未启用 IP 转发,请运行以下命令将其启用:If IP forwarding isn't enabled, run the following commands to enable it:

    $nic2 = Get-AzureRMNetworkInterface -ResourceGroupName <ResourceGroupName> -Name <NIC name>
    $nic2.EnableIPForwarding = 1
    Set-AzureRMNetworkInterface -NetworkInterface $nic2
    Execute: $nic2 #and check for an expected output:
    EnableIPForwarding   : True
    NetworkSecurityGroup : null
    

检查流量是否可路由到 NVACheck whether traffic can be routed to the NVA

  1. 找到一个已配置为将流量重定向到 NVA 的 VM。Locate a VM that is configured to redirect traffic to the NVA.
  2. 若要检查 NVA 是否为下一个跃点,请运行 Tracert <Private IP of NVA> (适用于 Windows)或 Traceroute <Private IP of NVA>To check that the NVA is the next hop, run Tracert <Private IP of NVA> for Windows or Traceroute <Private IP of NVA>.
  3. 如果 NVA 未列为下一跃点,请检查并更新 Azure Stack Hub 路由表。If the NVA isn't listed as the next hop, check and update the Azure Stack Hub route tables.

某些来宾级别的操作系统可能会设置防火墙策略来阻止 ICMP 通信。Some guest-level operating systems might have firewall policies in place to block ICMP traffic. 请更新这些防火墙规则,使前面的命令生效。Update these firewall rules for the preceding commands to work.

检查流量是否可到达 NVACheck whether traffic can reach the NVA

  1. 找到一个应该能够连接到 NVA 的 VM。Locate a VM that should have connectivity to the NVA.
  2. 检查是否有任何网络安全组 (NSG) 阻止了流量。Check whether any network security groups (NSGs) block traffic. 对于 Windows,请运行 ping (ICMP) 或 Test-NetConnection <Private IP of NVA> (TCP)。For Windows, run ping (ICMP) or Test-NetConnection <Private IP of NVA> (TCP). 对于 Linux,请运行 Tcpping <Private IP of NVA>For Linux, run Tcpping <Private IP of NVA>.
  3. 如果你的 NSG 阻止流量,请将其修改为允许流量。If your NSGs block traffic, modify them to allow traffic.

检查 NVA 和 VM 是否正在侦听预期的流量Check whether the NVA and VMs are listening for expected traffic

  1. 使用 RDP 或 SSH 连接到 NVA,然后运行以下命令:Connect to the NVA by using RDP or SSH, and then run the following command:

    WindowsWindows

    netstat -an
    

    LinuxLinux

    netstat -an | grep -i listen
    
  2. 查找结果中列出的 NVA 软件所使用的 TCP 端口。Look for the TCP ports used by the NVA software that is listed in the results. 如果未看到它们,请在 NVA 和 VM 上配置应用程序,以侦听并响应到达这些端口的流量。If you don't see them, configure the application on the NVA and VM to listen and respond to traffic that reaches those ports. 联系 NVA 供应商以获取帮助Contact the NVA vendor for assistance.

检查 NVA 性能Check NVA performance

验证 VM CPU 使用情况Validate VM CPU usage

如果 CPU 使用率接近 100%,那么可能会出现造成网络数据包丢失的问题。If CPU usage gets close to 100 percent, you might experience problems that affect network packet drops.

在 CPU 峰值期间,调查来宾 VM 上的哪个进程导致 CPU 使用率过高,During a CPU spike, investigate which process on the guest VM is causing the high CPU usage. 然后在可能的情况下缓解该使用率问题。Then mitigate the usage if possible.

可能还需将 VM 大小重设为更大的 SKU 大小;或者,对于虚拟机规模集,增加实例计数。You might also need to resize the VM to a larger SKU size or, for a virtual machine scale set, increase the instance count.

如需帮助,请联系 NVA 供应商If you need assistance, contact the NVA vendor.

验证 VM 网络统计信息Validate VM network statistics

如果 VM 网络使用情况出现高峰或显示高使用率时段,请考虑增加 VM 的 SKU 大小以获得更高的吞吐量。If the VM network use spikes or shows periods of high usage, consider increasing the VM's SKU size to get higher throughput.

高级网络管理员故障排除Advanced network administrator troubleshooting

捕获网络跟踪Capture a network trace

运行 PsPingNmap 时,请在源 VM、目标 VM 和 NVA 上捕获同步网络跟踪,While you run PsPing or Nmap, capture a simultaneous network trace on the source and destination VMs and on the NVA. 然后停止跟踪。Then stop the trace.

  1. 若要捕获同步网络跟踪,请运行以下命令:To capture a simultaneous network trace, run the following command:

    WindowsWindows

    netsh trace start capture=yes tracefile=c:\server_IP.etl scenario=netconnection
    

    LinuxLinux

    sudo tcpdump -s0 -i eth0 -X -w vmtrace.cap
    
  2. 使用从源 VM 到目标 VM 的 PsPing 或 Nmap**** ****。Use PsPing or Nmap from the source VM to the destination VM. 例如 PsPing 10.0.0.4:80Nmap -p 80 10.0.0.4Examples are PsPing 10.0.0.4:80 or Nmap -p 80 10.0.0.4.

  3. 使用 tcpdump 或所选数据包分析器从目标 VM 打开网络跟踪。Open the network trace from the destination VM by using tcpdump or a packet analyzer of your choice. 为运行 PsPing 或 Nmap 的源 VM 的 IP 应用一个显示筛选器**** ****。Apply a display filter for the IP of the source VM you ran PsPing or Nmap from. IPv4.address==10.0.0.4 是 Windows netmon 示例。A Windows netmon example is IPv4.address==10.0.0.4. tcpdump -nn -r vmtrace.cap srcdst host 10.0.0.4 是 Linux 示例。Linux examples are tcpdump -nn -r vmtrace.cap src and dst host 10.0.0.4.

分析跟踪Analyze traces

如果看不到数据包传入到后端 VM 跟踪中,原因可能是存在 NSG 或 UDR 干扰或是 NVA 路由表不正确。If you don't see packets come into the backend VM trace, an NSG or UDR is likely interfering, or the NVA routing tables are incorrect.

如果看到数据包传入但没有响应,则可能需要解决 VM 应用程序或防火墙问题。If you see packets come in but with no response, you might need to address a problem with a VM application or firewall.

如需帮助,请联系 NVA 供应商If you need assistance, contact the NVA vendor.

创建支持票证Create a support ticket

如果前面的步骤无法解决问题,请创建支持票证并使用按需日志收集工具来提供日志。If the preceding steps don't resolve your problem, create a support ticket and use the on demand log collection tool to provide logs.