Azure 中的网络虚拟设备问题Network virtual appliance issues in Azure

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

在 Azure 中使用第三方网络虚拟设备 (NVA) 时,可能会遇到 VM 或 VPN 连接问题和错误。You may experience VM or VPN connectivity issues and errors when using a third party Network Virtual Appliance (NVA) in Azure. 本文介绍了帮助你验证适用于 NVA 配置的基本 Azure 平台要求的基本步骤。This article provides basic steps to help you validate basic Azure Platform requirements for NVA configurations.

NVA 供应商提供了对第三方 NVA 及其与 Azure 平台集成的技术支持。Technical support for third-party NVAs and their integration with the Azure platform is provided by the NVA vendor.

备注

如果遇到涉及 NVA 的连接或路由问题,则应直接联系 NVA 的供应商If you have a connectivity or routing problem that involves an NVA, you should contact the vendor of the NVA directly.

如果本文未解决你的 Azure 问题,请访问 MSDN 和 CSDN 上的 Azure 论坛。If your Azure issue is not addressed in this article, visit the Azure forums on MSDN and CSDN. 可以在这些论坛上发布问题。You can post your issue in these forums. 还可提交 Azure 支持请求。You also can submit an Azure support request. 若要提交支持请求,请在 Azure 支持页上提交。To submit a support request, on the Azure support page.

与 NVA 供应商合作进行故障排除时的清单Checklist for troubleshooting with NVA vendor

  • NVA VM 软件的软件更新Software updates for NVA VM software
  • 服务帐户设置和功能Service Account setup and functionality
  • 虚拟网络子网上用户定义的路由 (UDR),用于将流量定向到 NVAUser-defined routes (UDRs) on virtual network subnets that direct traffic to NVA
  • 虚拟网络子网上的 UDR,用于定向来自 NVA 的流量UDRs on virtual network subnets that direct traffic from NVA
  • NVA 内的路由表和规则(例如,从 NIC1 到 NIC2)Routing tables and rules within the NVA (for example, from NIC1 to NIC2)
  • 跟踪 NVA NIC 以验证接收和发送网络流量Tracing on NVA NICs to verify receiving and sending network traffic
  • 使用标准 SKU 和公共 IP 时,必须创建一个 NSG,并有明确的规则允许将流量路由到 NVA。When using a Standard SKU and Public IPs, there must be an NSG created and an explicit rule to allow the traffic to be routed to the NVA.

基本故障排除步骤Basic troubleshooting steps

  • 检查基本配置Check the basic configuration
  • 检查 NVA 性能Check NVA performance
  • 高级网络故障排除Advanced network troubleshooting

检查 Azure 上 NVA 的最低配置要求Check the minimum configuration requirements for NVAs on Azure

每个 NVA 都满足在 Azure 上正常运行的基本配置要求。Each NVA has basic configuration requirements to function correctly on Azure. 以下部分提供了验证这些基本配置的步骤。The following section provides the steps to verify these basic configurations. 有关详细信息,请联系 NVA 的供应商For more information, contact the vendor of the NVA.

检查 NVA 是否启用了 IP 转发Check whether IP forwarding is enabled on NVA

使用 Azure 门户Use Azure portal

  1. Azure 门户中找到 NVA 资源,选择“网络”,然后选择“网络接口”。Locate the NVA resource in the Azure portal, select Networking, and then select the Network interface.
  2. 在“网络接口”页上,选择“IP 配置”。On the Network interface page, select IP configuration.
  3. 确保已启用 IP 转发。Make sure that IP forwarding is enabled.

使用 PowerShellUse PowerShell

  1. 打开 PowerShell 并登录到 Azure 帐户。Open PowerShell and then sign in to your Azure account.

  2. 运行以下命令(用你的信息替换括号中的值):Run the following command (replace the bracketed values with your information):

    Get-AzNetworkInterface -ResourceGroupName <ResourceGroupName> -Name <NicName>
    
  3. 检查“EnableIPForwarding”属性 。Check the EnableIPForwarding property.

  4. 如果未启用 IP 转发,请运行以下命令将其启用:If IP forwarding is not enabled, run the following commands to enable it:

    $nic2 = Get-AzNetworkInterface -ResourceGroupName <ResourceGroupName> -Name <NicName>
    $nic2.EnableIPForwarding = 1
    Set-AzNetworkInterface -NetworkInterface $nic2
    Execute: $nic2 #and check for an expected output:
    EnableIPForwarding   : True
    NetworkSecurityGroup : null
    

使用标准 SKU 公共 IP 时检查 NSG 使用标准 SKU 和公共 IP 时,必须创建一个 NSG,并有明确的规则允许将流量路由到 NVA。Check for NSG when using Standard SKU Pubilc IP When using a Standard SKU and Public IPs, there must be an NSG created and an explicit rule to allow the traffic to the NVA.

检查流量是否可路由到 NVACheck whether the traffic can be routed to the NVA

  1. Azure 门户上,打开“网络观察程序”,选择“下一跃点” 。On Azure portal, open Network Watcher, select Next Hop.
  2. 指定配置为将流量重定向到 NVA 的 VM,以及用于查看下一跃点的目标 IP 地址。Specify a VM that is configured to redirect the traffic to the NVA, and a destination IP address at which to view the next hop.
  3. 如果 NVA 未列为“下一跃点”,请检查并更新 Azure 路由表 。If the NVA is not listed as the next hop, check and update the Azure route tables.

检查流量是否可到达 NVACheck whether the traffic can reach the NVA

  1. Azure 门户中,打开“网络观察程序”,然后选择“IP 流验证” 。In Azure portal, open Network Watcher, and then select IP Flow Verify.
  2. 指定 VM 和 NVA 的 IP 地址,然后检查是否有任何网络安全组 (NSG) 阻止该流量。Specify the VM and the IP address of the NVA, and then check whether the traffic is blocked by any Network security groups (NSG).
  3. 如果存在阻止流量的 NSG 规则,请在“有效安全”规则中找到 NSG,并更新它以允许流量通过 。If there is an NSG rule that blocks the traffic, locate the NSG in effective security rules and then update it to allow traffic to pass. 然后再次运行“IP 流验证”并使用“连接故障排除”测试从 VM 到内部或外部 IP 地址的 TCP 通信 。Then run IP Flow Verify again and use Connection troubleshoot to test TCP communications from VM to your internal or external IP address.

检查 NVA 和 VM 是否正在侦听预期的流量Check whether NVA and VMs are listening for expected traffic

  1. 使用 RDP 或 SSH 连接到 NVA,然后运行以下命令:Connect to the NVA by using RDP or SSH, and then run following command:

    对于 Windows:For Windows:

    netstat -an
    

    对于 Linux:For Linux:

    netstat -an | grep -i listen
    
  2. 如果未看到结果中列出的 NVA 软件使用的 TCP 端口,则必须在 NVA 和 VM 上配置应用程序,以侦听并响应到达这些端口的流量。If you don't see the TCP port that's used by the NVA software that's listed in the results you must configure the application on the NVA and VM to listen and respond to traffic that reaches those ports. 如有需要,请联系 NVA 供应商以获取帮助Contact the NVA vendor for assistance as needed.

检查 NVA 性能Check NVA Performance

验证 VM CPUValidate VM CPU

如果 CPU 使用率接近 100%,则可能会遇到造成网络数据包丢失的问题。If CPU usage gets close to 100 percent, you may experience issues that affect network packet drops. VM 报告 Azure 门户中特定时间跨度的平均 CPU。Your VM reports average CPU for a specific time span in the Azure portal. 在 CPU 峰值期间,调查来宾 VM 上的哪个进程导致高 CPU 使用率,并在可能的情况下缓解该问题。During a CPU spike, investigate which process on the guest VM is causing the high CPU, and mitigate it, if possible. 可能还必须将 VM 大小调整为更大的 SKU 大小;或者,对于虚拟机规模集,可增加实例数或设置为自动调整 CPU 使用率。You may also have to resize the VM to a larger SKU size or, for virtual machine scale set, increase the instance count or set to auto-scale on CPU usage. 对于上述任意问题,如有需要,请联系 NVA 供应商以获取帮助For either of these issues, contact the NVA vendor for assistance, as needed.

验证 VM 网络统计信息Validate VM Network statistics

如果遇到 VM 网络使用高峰或显示高使用率的时段,可能还必须增加 VM 的 SKU 大小以获得更高的吞吐量容量。If the VM network use spikes or shows periods of high usage, you may also have to increase the SKU size of the VM to obtain higher throughput capabilities. 还可以通过启用加速网络来重新部署 VM。You can also redeploy the VM by having Accelerated Networking enabled. 若要验证 NVA 是否支持加速网络功能,如有需要,请联系 NVA 供应商以获取帮助To verify whether the NVA supports Accelerated Networking feature, contact the NVA vendor for assistance, as needed.

高级网络管理员故障排除Advanced network administrator troubleshooting

捕获网络跟踪Capture network trace

运行 PsPing 或 Nmap 时,请在源 VM、NVA 和目标 VM 上捕获同步网络跟踪,并停止跟踪。Capture a simultaneous network trace on the source VM, the NVA, and the destination VM while you run PsPing or Nmap, and then stop the trace.

  1. 若要捕获同步网络跟踪,请运行以下命令:To capture a simultaneous network trace, run the following command:

    对于 WindowsFor Windows

    netsh trace start capture=yes tracefile=c:\server_IP.etl scenario=netconnectionnetsh trace start capture=yes tracefile=c:\server_IP.etl scenario=netconnection

    对于 LinuxFor Linux

    sudo tcpdump -s0 -i eth0 -X -w vmtrace.capsudo tcpdump -s0 -i eth0 -X -w vmtrace.cap

  2. 使用从源 VM 到目标 VM 的 PsPing 或 Nmap(例如:PsPing 10.0.0.4:80Nmap -p 80 10.0.0.4)。Use PsPing or Nmap from the source VM to the destination VM (for example: PsPing 10.0.0.4:80 or Nmap -p 80 10.0.0.4).

  3. 使用网络监视器或 tcpdump 从目标 VM 打开网络跟踪。Open the network trace from the destination VM by using Network Monitor or tcpdump. 为运行 PsPing 或 Nmap 的源 VM 的 IP 应用显示筛选器,例如 IPv4.address==10.0.0.4 (Windows netmon)tcpdump -nn -r vmtrace.cap src or dst host 10.0.0.4 (Linux)。Apply a display filter for the IP of the Source VM you ran PsPing or Nmap from, such as IPv4.address==10.0.0.4 (Windows netmon) or tcpdump -nn -r vmtrace.cap src or dst host 10.0.0.4 (Linux).

分析跟踪Analyze traces

如果无法看到数据包传入到后端 VM 跟踪,原因很可能是存在 NSG 或 UDR 干扰或是 NVA 路由表不正确。If you do not see the packets incoming to the backend VM trace, there is likely an NSG or UDR interfering or the NVA routing tables are incorrect.

如果看到数据包传入但没有响应,则可能需要解决 VM 应用程序或防火墙问题。If you do see the packets coming in but no response, then you may need to address a VM application or a firewall issue. 对于上述任意问题,如有需要请联系 NVA 供应商以获取帮助For either of these issues, contact the NVA vendor for assistance as needed.