验证 ExpressRoute 连接Verifying ExpressRoute connectivity

本文可帮助验证 ExpressRoute 连接并对其进行故障排除。This article helps you verify and troubleshoot ExpressRoute connectivity. ExpressRoute 可以通过往往已由连接服务提供商优化的专用连接,将本地网络扩展到 Microsoft 云中。ExpressRoute extends an on-premises network into the Microsoft cloud over a private connection that is commonly facilitated by a connectivity provider. 在传统上,ExpressRoute 连接涉及到三个不同的网络区域,如下所述:ExpressRoute connectivity traditionally involves three distinct network zones, as follows:

  • 客户网络Customer Network
  • 提供商网络Provider Network
  • Microsoft 数据中心Microsoft Datacenter

Note

在 ExpressRoute 直接连接模型(带宽为 10/100 Gbps)中,客户可以直接连接到 Microsoft 企业边缘 (MSEE) 路由器的端口。In the ExpressRoute direct connectivity model (offered at 10/100 Gbps bandwidth), cusomters can directly connect to Microsoft Enterprise Edge (MSEE) routers' port. 因此,直接连接模型中只有客户和 Microsoft 网络区域。Therefore, in the direct connectivity model, there are only customer and Microsoft network zones.

本文档旨在帮助用户确定是否存在连接问题,以及出现问题的位置。The purpose of this document is to help user to identify if and where a connectivity issue exists. 因此,本文档可为相应的团队提供支持,帮助他们解决问题。Thereby, to help seek support from the appropriate team to resolve an issue. 如果需要 Microsoft 的支持才能解决问题,请向 Microsoft 支持部门提交支持票证。If Microsoft support is needed to resolve an issue, open a support ticket with Microsoft Support.

Important

本文档旨在帮助用户诊断和修复简单问题。This document is intended to help diagnosing and fixing simple issues. 它不是为了替代 Microsoft 支持部门。It is not intended to be a replacement for Microsoft support. 如果无法通过本文档提供的指导解决问题,请向 Microsoft 支持部门提交支持票证。Open a support ticket with Microsoft Support if you are unable to solve the problem using the guidance provided.

概述Overview

下图显示了客户网络通过 ExpressRoute 连接到 Microsoft 网络时的逻辑连接。The following diagram shows the logical connectivity of a customer network to Microsoft network using ExpressRoute. 11

在上图中,数字表示关键网络点。In the preceding diagram, the numbers indicate key network points. 本文中不时提到的“网络点”将按其关联的编号来表示。These network points are referenced in this article at times by their associated number. 网络点 3 和 4 可以是交换机(第 2 层设备)或路由器(第 3 层设备),具体取决于 ExpressRoute 连接模型 -- 云交换归置、点到点以太网连接,或任意两点之间的连接 (IPVPN)。Depending on the ExpressRoute connectivity model--Cloud Exchange Co-location, Point-to-Point Ethernet Connection, or Any-to-any (IPVPN)--the network points 3 and 4 may be switches (Layer 2 devices) or routers (Layer 3 devices). 直接连接模型中没有网络点 3 和 4;CE (2) 通过暗光纤直接连接到 MSEE。In the direct connectivity model, there are no network points 3 and 4; instead CEs (2) are directly connected to MSEEs via dark fiber. 上述关键网络点详述如下:The key network points illustrated are as follows:

  1. 客户计算设备(例如服务器或电脑)Customer compute device (for example, a server or PC)
  2. CE:客户边缘路由器CEs: Customer edge routers
  3. PE(面向 CE):提供商边缘路由器/交换机,面向客户边缘路由器。PEs (CE facing): Provider edge routers/switches that are facing customer edge routers. 本文档中称为“PE-CE”。Referred to as PE-CEs in this document.
  4. PE(面向 MSEE):提供商边缘路由器/交换机,面向 MSEE。PEs (MSEE facing): Provider edge routers/switches that are facing MSEEs. 本文档中称为“PE-MSEE”。Referred to as PE-MSEEs in this document.
  5. MSEE:Microsoft 企业边缘 (MSEE) ExpressRoute 路由器MSEEs: Microsoft Enterprise Edge (MSEE) ExpressRoute routers
  6. 虚拟网络 (VNet) 网关Virtual Network (VNet) Gateway
  7. Azure VNet 上的计算设备Compute device on the Azure VNet

如果使用云交换归置、点到点以太网或直接连接模型,则 CE (2) 将与 MSEE (5) 建立 BGP 对等互连。If the Cloud Exchange Co-location, Point-to-Point Ethernet, or direct connectivity models are used, CEs (2) establish BGP peering with MSEEs (5).

如果使用任意两点之间的连接 (IPVPN) 模型,则 PE-MSEE (4) 将与 MSEE (5) 建立 BGP 对等互连。If the Any-to-any (IPVPN) connectivity model is used, PE-MSEEs (4) establish BGP peering with MSEEs (5). PE-MSEE 通过 IPVPN 服务提供商网络将从 Microsoft 收到的路由传播回到客户网络。PE-MSEEs propagate the routes received from Microsoft back to the customer network via the IPVPN service provider network.

Note

为了实现高可用性,Microsoft 将在 MSEE (5) 和 PE-MSEE (4) 对之间建立完全冗余的并行连接。For high availability, Microsoft establishes a fully redundant parallel connectivity between MSEEs (5) and PE-MSEEs (4) pairs. 另外,我们建议在客户网络和 PE-CE 对之间建立完全冗余的并行网络路径。A fully redundant parallel network path is also encouraged between customer network and PE-CEs pair. 有关高可用性的详细信息,请参阅使用 ExpressRoute 进行高可用性设计一文For more information regarding high availability, see the article Designing for high availability with ExpressRoute

下面是排查 ExpressRoute 线路问题的逻辑步骤:The following are the logical steps, in troubleshooting ExpressRoute circuit:

验证线路预配和状态Verify circuit provisioning and state

预配 ExpressRoute 线路可在 CE/PE-MSEE (2)/(4) 与 MSEE (5) 之间建立冗余的第 2 层连接。Provisioning an ExpressRoute circuit establishes a redundant Layer 2 connections between CEs/PE-MSEEs (2)/(4) and MSEEs (5). 若要详细了解如何创建、修改、预配和验证 ExpressRoute 线路,请参阅创建和修改 ExpressRoute 线路一文。For more information on how to create, modify, provision, and verify an ExpressRoute circuit, see the article Create and modify an ExpressRoute circuit.

Tip

服务密钥可以唯一地标识 ExpressRoute 线路。A service key uniquely identifies an ExpressRoute circuit. 如果需要 Microsoft 或 ExpressRoute 合作伙伴的帮助来排查 ExpressRoute 问题,请提供服务密钥以识别线路。Should you need assistance from Microsoft or from an ExpressRoute partner to troubleshoot an ExpressRoute issue, provide the service key to readily identify the circuit.

通过 Azure 门户进行验证Verification via the Azure portal

在 Azure 门户中打开 ExpressRoute 线路边栏选项卡。In the Azure portal, open the ExpressRoute circuit blade. 该边栏选项卡的“3”部分列出了 ExpressRoute 概要,如以下屏幕截图所示:In the 3 section of the blade, the ExpressRoute essentials are listed as shown in the following screenshot:

44

在 ExpressRoute 的“概要”中,“线路状态”表示 Microsoft 这一侧线路的状态。In the ExpressRoute Essentials, Circuit status indicates the status of the circuit on the Microsoft side. “提供商状态”表示线路在服务提供商这一侧的状态是“已预配”还是“未预配”。Provider status indicates if the circuit has been Provisioned/Not provisioned on the service-provider side.

若要确保 ExpressRoute 线路正常运行,“线路状态”必须为“已启用”,“提供商状态”必须为“已预配”。For an ExpressRoute circuit to be operational, the Circuit status must be Enabled and the Provider status must be Provisioned.

Note

配置 ExpressRoute 线路后,如果“线路状态”停滞在“未启用”状态,请联系 Microsoft 支持部门After configuring an ExpressRoute circuit, if the Circuit status is struck in not enabled status, contact Microsoft Support. 另一方面,如果“提供商状态”停滞在“未预配”状态,请联系服务提供商。 On the other hand, if the Provider status is struck in not provisioned status, contact your service provider.

通过 PowerShell 进行验证Verification via PowerShell

若要列出资源组中的所有 ExpressRoute 线路,请使用以下命令:To list all the ExpressRoute circuits in a Resource Group, use the following command:

Get-AzExpressRouteCircuit -ResourceGroupName "Test-ER-RG"

Tip

查找资源组的名称时,可以使用命令 Get-AzResourceGroup 列出订阅中的所有资源组,然后即可获取该名称。If you are looking for the name of a resource group, you can get it by listing all the resource groups in your subscription, using the command Get-AzResourceGroup

若要选择资源组中的特定 ExpressRoute 线路,请使用以下命令:To select a particular ExpressRoute circuit in a Resource Group, use the following command:

Get-AzExpressRouteCircuit -ResourceGroupName "Test-ER-RG" -Name "Test-ER-Ckt"

示例响应如下:A sample response is:

Name                             : Test-ER-Ckt
ResourceGroupName                : Test-ER-RG
Location                         : chinaeast2
Id                               : /subscriptions/***************************/resourceGroups/Test-ER-RG/providers/***********/expressRouteCircuits/Test-ER-Ckt
Etag                             : W/"################################"
ProvisioningState                : Succeeded
Sku                              : {
                                     "Name": "Standard_UnlimitedData",
                                     "Tier": "Standard",
                                     "Family": "UnlimitedData"
                                       }
CircuitProvisioningState         : Enabled
ServiceProviderProvisioningState : Provisioned
ServiceProviderNotes             : 
ServiceProviderProperties        : {
                                     "ServiceProviderName": "****",
                                     "PeeringLocation": "******",
                                     "BandwidthInMbps": 100
                                       }
ServiceKey                       : **************************************
Peerings                         : []
Authorizations                   : []

若要确认 ExpressRoute 线路是否正常运行,请特别注意以下字段:To confirm if an ExpressRoute circuit is operational, pay particular attention to the following fields:

CircuitProvisioningState         : Enabled
ServiceProviderProvisioningState : Provisioned

Note

配置 ExpressRoute 线路后,如果“线路状态”停滞在“未启用”状态,请联系 Microsoft 支持部门After configuring an ExpressRoute circuit, if the Circuit status is struck in not enabled status, contact Microsoft Support. 另一方面,如果“提供商状态”停滞在“未预配”状态,请联系服务提供商。 On the other hand, if the Provider status is struck in not provisioned status, contact your service provider.

验证对等互连配置Validate Peering Configuration

在服务提供商完成 ExpressRoute 线路的预配后,可以通过 CE/MSEE-PE (2)/(4) 与 MSEE (5) 之间的 ExpressRoute 线路创建多个基于 eBGP 的路由配置。After the service provider has completed the provisioning the ExpressRoute circuit, multiple eBGP based routing configurations can be created over the ExpressRoute circuit between CEs/MSEE-PEs (2)/(4) and MSEEs (5). 每条 ExpressRoute 线路可以使用:Azure 专用对等互连(将流量发送到 Azure 中的专用虚拟网络),和/或 Microsoft 对等互连(将流量发送到 PaaS 和 SaaS 的公共终结点)。Each ExpressRoute circuit can have: Azure private peering (traffic to private virtual networks in Azure), and/or Microsoft peering (traffic to public endpoints of PaaS and SaaS). 有关如何创建和修改路由配置的详细信息,请参阅创建和修改 ExpressRoute 线路的路由一文。For more information on how to create and modify routing configuration, see the article Create and modify routing for an ExpressRoute circuit.

通过 Azure 门户进行验证Verification via the Azure portal

Note

在 IPVPN 连接模型中,服务提供商将负责处理对等互连(第 3 层服务)的配置。In IPVPN connectivity model, service providers handle the responsibility of configuring the peerings (layer 3 services). 在此类模型中,如果在服务提供商配置对等互连后,对等互连在门户中是空白的,请尝试使用门户上的刷新按钮刷新线路配置。In such a model, after the service provider has configured a peering and if the peering is blank in the portal, try refreshing the circuit configuration using the refresh button on the portal. 此操作会从线路中提取当前路由配置。This operation will pull the current routing configuration from your circuit.

可以在 Azure 门户中的 ExpressRoute 线路边栏选项卡下检查 ExpressRoute 线路对等互连的状态。In the Azure portal, status of an ExpressRoute circuit peering can be checked under the ExpressRoute circuit blade. 该边栏选项卡的“3”部分将会列出 ExpressRoute 对等互连,如以下屏幕截图所示:In the 3 section of the blade, the ExpressRoute peerings would be listed as shown in the following screenshot:

55

在前面的示例中,可以注意到已预配 Azure 专用对等互连,但尚未预配 Azure 公共对等互连和 Microsoft 对等互连。In the preceding example, as noted Azure private peering is provisioned, whereas Azure public and Microsoft peerings are not provisioned. 成功预配的对等互连上下文还会列出主要和辅助的点到点子网。A successfully provisioned peering context would also have the primary and secondary point-to-point subnets listed. /30 子网用于 MSEE 和 CE/PE-MSEE 的接口 IP 地址。The /30 subnets are used for the interface IP address of the MSEEs and CEs/PE-MSEEs. 对于已预配的对等互连,列表中还会指示上次修改配置的用户。For the peerings that are provisioned, the listing also indicates who last modified the configuration.

Note

如果启用对等互连失败,请检查分配的主要子网和辅助子网是否与链接的 CE/PE-MSEE 上的配置相匹配。If enabling a peering fails, check if the primary and secondary subnets assigned match the configuration on the linked CE/PE-MSEE. 另请检查是否在 MSEE 上使用了正确的 VlanIdAzureASNPeerASN,以及这些值是否映射到链接的 CE/PE-MSEE 上使用的对应项。Also check if the correct VlanId, AzureASN, and PeerASN are used on MSEEs and if these values maps to the ones used on the linked CE/PE-MSEE. 如果选择了 MD5 哈希,则 MSEE 和 PE-MSEE/CE 对上的共享密钥应相同。If MD5 hashing is chosen, the shared key should be same on MSEE and PE-MSEE/CE pair. 出于安全原因,不会显示以前配置的共享密钥。Previously configured shared key would not be displayed for security reasons. 如果需要在 MSEE 路由器上更改其中的任何配置,请参阅创建和修改 ExpressRoute 线路的路由Should you need to change any of these configuration on an MSEE router, refer to Create and modify routing for an ExpressRoute circuit.

Note

在为接口分配的 /30 子网中,Microsoft 将为 MSEE 接口选择该子网的第二个可用 IP 地址。On a /30 subnet assigned for interface, Microsoft will pick the second usable IP address of the subnet for the MSEE interface. 因此,请确保已在对等互连的 CE/PE-MSEE 上分配该子网的第一个可用 IP 地址。Therefore, ensure that the first usable IP address of the subnet has been assigned on the peered CE/PE-MSEE.

通过 PowerShell 进行验证Verification via PowerShell

若要获取 Azure 专用对等互连配置详细信息,请使用以下命令:To get the Azure private peering configuration details, use the following commands:

$ckt = Get-AzExpressRouteCircuit -ResourceGroupName "Test-ER-RG" -Name "Test-ER-Ckt"
Get-AzExpressRouteCircuitPeeringConfig -Name "AzurePrivatePeering" -ExpressRouteCircuit $ckt

已成功配置的专用对等互连的示例响应如下:A sample response, for a successfully configured private peering, is:

Name                       : AzurePrivatePeering
Id                         : /subscriptions/***************************/resourceGroups/Test-ER-RG/providers/***********/expressRouteCircuits/Test-ER-Ckt/peerings/AzurePrivatePeering
Etag                       : W/"################################"
PeeringType                : AzurePrivatePeering
AzureASN                   : 12076
PeerASN                    : 123##
PrimaryPeerAddressPrefix   : 172.16.0.0/30
SecondaryPeerAddressPrefix : 172.16.0.4/30
PrimaryAzurePort           : 
SecondaryAzurePort         : 
SharedKey                  : 
VlanId                     : 200
MicrosoftPeeringConfig     : null
ProvisioningState          : Succeeded

成功启用的对等互连上下文会列出主要的和辅助的地址前缀。A successfully enabled peering context would have the primary and secondary address prefixes listed. /30 子网用于 MSEE 和 CE/PE-MSEE 的接口 IP 地址。The /30 subnets are used for the interface IP address of the MSEEs and CEs/PE-MSEEs.

若要获取 Azure 公共对等互连配置详细信息,请使用以下命令:To get the Azure public peering configuration details, use the following commands:

$ckt = Get-AzExpressRouteCircuit -ResourceGroupName "Test-ER-RG" -Name "Test-ER-Ckt"
Get-AzExpressRouteCircuitPeeringConfig -Name "AzurePublicPeering" -ExpressRouteCircuit $ckt

若要获取 Microsoft 对等互连配置详细信息,请使用以下命令:To get the Microsoft peering configuration details, use the following commands:

$ckt = Get-AzExpressRouteCircuit -ResourceGroupName "Test-ER-RG" -Name "Test-ER-Ckt"
 Get-AzExpressRouteCircuitPeeringConfig -Name "MicrosoftPeering" -ExpressRouteCircuit $ckt

如果未配置对等互连,则会出现错误信息。If a peering is not configured, there would be an error message. 当所述对等互连(本示例中为 Azure 公共对等互连)未在线路中配置时,示例的响应如下:A sample response, when the stated peering (Azure Public peering in this example) is not configured within the circuit:

    Get-AzExpressRouteCircuitPeeringConfig : Sequence contains no matching element
    At line:1 char:1
        + Get-AzExpressRouteCircuitPeeringConfig -Name "AzurePublicPeering ...
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            + CategoryInfo          : CloseError: (:) [Get-AzExpr...itPeeringConfig], InvalidOperationException
            + FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.GetAzureExpressRouteCircuitPeeringConfigCommand

Note

如果启用对等互连失败,请检查分配的主要子网和辅助子网是否与链接的 CE/PE-MSEE 上的配置相匹配。If enabling a peering fails, check if the primary and secondary subnets assigned match the configuration on the linked CE/PE-MSEE. 另请检查是否在 MSEE 上使用了正确的 VlanIdAzureASNPeerASN,以及这些值是否映射到链接的 CE/PE-MSEE 上使用的对应项。Also check if the correct VlanId, AzureASN, and PeerASN are used on MSEEs and if these values maps to the ones used on the linked CE/PE-MSEE. 如果选择了 MD5 哈希,则 MSEE 和 PE-MSEE/CE 对上的共享密钥应相同。If MD5 hashing is chosen, the shared key should be same on MSEE and PE-MSEE/CE pair. 出于安全原因,不会显示以前配置的共享密钥。Previously configured shared key would not be displayed for security reasons. 如果需要在 MSEE 路由器上更改其中的任何配置,请参阅创建和修改 ExpressRoute 线路的路由Should you need to change any of these configuration on an MSEE router, refer to Create and modify routing for an ExpressRoute circuit.

Note

在为接口分配的 /30 子网中,Microsoft 将为 MSEE 接口选择该子网的第二个可用 IP 地址。On a /30 subnet assigned for interface, Microsoft will pick the second usable IP address of the subnet for the MSEE interface. 因此,请确保已在对等互连的 CE/PE-MSEE 上分配该子网的第一个可用 IP 地址。Therefore, ensure that the first usable IP address of the subnet has been assigned on the peered CE/PE-MSEE.

验证 ARPValidate ARP

ARP 表为特定的对等互连提供 IP 地址和 MAC 地址的映射。The ARP table provides a mapping of the IP address and MAC address for a particular peering. 用于 ExpressRoute 线路对等互连的 ARP 表为每个接口(主接口和辅助接口)提供以下信息:The ARP table for an ExpressRoute circuit peering provides the following information for each interface (primary and secondary):

  • 将本地路由器接口 IP 地址映射到 MAC 地址Mapping of on-premises router interface ip address to the MAC address
  • 将 ExpressRoute 路由器接口 IP 地址映射到 MAC 地址Mapping of ExpressRoute router interface ip address to the MAC address
  • 映射 ARP 表的期限可帮助验证第 2 层配置,并可帮助排查第 2 层基本连接的问题。Age of the mapping ARP tables can help validate layer 2 configuration and troubleshooting basic layer 2 connectivity issues.

请参阅在资源管理器部署模型中获取 ARP 表文档,了解如何查看 ExpressRoute 对等互连的 ARP 表,以及如何使用该信息排查第 2 层连接问题。See Getting ARP tables in the Resource Manager deployment model document, for how to view the ARP table of an ExpressRoute peering, and for how to use the information to troubleshoot layer 2 connectivity issue.

验证 BGP 以及 MSEE 上的路由Validate BGP and routes on the MSEE

对于“专用”路由上下文,若要获取“主要”路径上的 MSEE 的路由表,请使用以下命令: To get the routing table from MSEE on the Primary path for the Private routing context, use the following command:

Get-AzExpressRouteCircuitRouteTable -DevicePath Primary -ExpressRouteCircuitName ******* -PeeringType AzurePrivatePeering -ResourceGroupName ****

示例响应如下:An example response is:

Network : 10.1.0.0/16
NextHop : 10.17.17.141
LocPrf  : 
Weight  : 0
Path    : 65515

Network : 10.1.0.0/16
NextHop : 10.17.17.140*
LocPrf  : 
Weight  : 0
Path    : 65515

Network : 10.2.20.0/25
NextHop : 172.16.0.1
LocPrf  : 
Weight  : 0
Path    : 123##

Note

如果 MSEE 与 CE/PE-MSEE 之间的 eBGP 对等互连状态为“活动”或“空闲”,请检查分配的主要和辅助对等子网是否与链接的 CE/PE-MSEE 上的配置相匹配。If the state of a eBGP peering between an MSEE and a CE/PE-MSEE is in Active or Idle, check if the primary and secondary peer subnets assigned match the configuration on the linked CE/PE-MSEE. 另请检查是否在 MSEE 上使用了正确的 VlanIdAzureAsnPeerAsn,以及这些值是否映射到链接的 PE-MSEE/CE 上使用的对应项。Also check if the correct VlanId, AzureAsn, and PeerAsn are used on MSEEs and if these values maps to the ones used on the linked PE-MSEE/CE. 如果选择了 MD5 哈希,则 MSEE 和 CE/PE-MSEE 对上的共享密钥应相同。If MD5 hashing is chosen, the shared key should be same on MSEE and CE/PE-MSEE pair. 如果需要在 MSEE 路由器上更改其中的任何配置,请参阅创建和修改 ExpressRoute 线路的路由Should you need to change any of these configuration on an MSEE router, refer to Create and modify routing for an ExpressRoute circuit.

Note

如果无法通过某个对等互连访问某些目标,请检查相应对等互连上下文的 MSEE 的路由表。If certain destinations are not reachable over a peering, check the route table of the MSEEs for the corresponding peering context. 如果路由表中存在匹配的前缀(可能是 NAT 处理后的 IP),请检查路径中是否存在阻止流量的防火墙/NSG/ACL。If a matching prefix (could be NATed IP) is present in the routing table, then check if there are firewalls/NSG/ACLs on the path that are blocking the traffic.

以下示例显示某个对等互连的命令响应不存在:The following example shows the response of the command for a peering that does not exist:

Get-AzExpressRouteCircuitRouteTable : The BGP Peering AzurePublicPeering with Service Key ********************* is not found.
StatusCode: 400

确认流量流Confirm the traffic flow

若要获取对等互连上下文在主要路径和辅助路径上的综合流量统计信息(出入字节数),请使用以下命令:To get the combined primary and secondary path traffic statistics--bytes in and out--of a peering context, use the following command:

Get-AzureDedicatedCircuitStats -ServiceKey 97f85950-01dd-4d30-a73c-bf683b3a6e5c -AccessType Private

该命令的示例输出如下:A sample output of the command is:

PrimaryBytesIn PrimaryBytesOut SecondaryBytesIn SecondaryBytesOut
-------------- --------------- ---------------- -----------------
     240780020       239863857        240565035         239628474

对于不存在的对等互连,该命令的示例输出如下:A sample output of the command for a non-existent peering is:

Get-AzExpressRouteCircuitRouteTable : The BGP Peering AzurePublicPeering with Service Key ********************* is not found.
StatusCode: 400

后续步骤Next Steps

有关详细信息或帮助,请查看以下链接:For more information or help, check out the following links: