Troubleshoot Network Connectivity for Virtual Machine
In this troubleshooting guide, we will focus on troubleshooting connectivity of a private IP address of a resource.
When working with Windows Software Defined Networking, there are three planes that you should be aware of:
- Management Plane: This is the management applications such as SCVMM, Windows Admin Center (WAC), Network Resource Provider (NRP), and PowerShell that are used to communicate with the Network Controller Northbound API (NB API) to manage and configure the resources within the SDN fabric.
- Control Plane: This is Network Controllers and the related micro-services. The micro-services within Network Controller are responsible for configuring and maintaining the goal state of the resources within the dataplane. The Southbound API (SB API) is used to detect configurations, discover devices, and gather other information about your network. In addition, the Network Controller uses this to push configuration changes that you make via the Management plane.
- Data Plane: This is the Hypervisor layer in which the resources are deployed and configured.
After deployment of your resource, we first need to check the provisioningState and configurationState of the resources within NC NB API.
- provisioningState: This is an indication of the state of the resource within Network Controller. If this resource provisioning failed, then investigation should be pursued within the control plane to understand why Network Controller was not able to allocate the resource.
- configurationState: This is the goal state reported by NCHostAgent to Network Controller. If this configuration state is reporting failures, then investigation would occur within the Dataplane to understand why NCHostAgent or Virtual Filtering Platform (VFP) was not able to program the resource.
Verify the resource with NetworkInterfaces is reporting Success
$resource = Get-SdnResource -NcUri https://ncnorthbound.sdn.lab -Resource NetworkInterfaces -ResourceId Contoso-VM1_Net_Adapter_0
$resource.properties
Verify the ipConfigurations are reporting Success for provisioningState and configurationState
$resource.properties.ipConfigurations
$resource.properties.ipConfigurations.properties
| ProvisioningState | ConfigurationState | Next Steps |
|---|---|---|
| Failed | -- | Examine Network Controller Logs |
| Success | Failed | Validate Data Plane |
To determine which hypervisor host to examine, look within properties field of the NetworkInterfaces object.
$resource.properties.server.resourceRefTaking this value, you can then cross-reference with the Servers
$server = Get-SdnResource -NcUri https://ncnorthbound.sdn.lab -ResourceRef $resource.properties.server.resourceRef
$server.properties.managementAddresses
NOTE: You may see multiple values returned under managementAddresses, as there will be a unique object for x509Certificate and UsernamePassword credential types. This may be FQDN or IPAddress of the hypervisor host used for management purposes.
Once you have located the hypervisor host that the virtual machine resides on that is using the network interface, connect to the host. Verify that the port profile settings are correct. If the settings are not correct, then Virtual Filtering Platform (VFP) will not be able to manage or configure policy for the adapter correctly.
If the MacAddress returned does not match what is in NetworkInterfaces for the resource, then you will need to use Hyper-V commands to update the MAC address.
# StaticMacAddress should match the MacAddress for the network interface within Network Controller
$adapter = Get-VMNetworkAdapter -VMName 'Contoso-VM1'
Set-VMNetworkAdapter -VMNetworkAdapter $adapter -StaticMacAddress '00-1D-D8-B7-1C-16'NOTE: If you have multiple adapters associated with the virtual machine, you will need to specify the specific adapter.
ProfileId should be the same as the InstanceID of the resource within NetworkInterfaces and ProfileData should be set to 1 (enabled). If the PortProfile or ProfileId are not set correctly, leverage Set-SdnVMNetworkAdapterPortProfile to configure this.
# ProfileId should match the instanceID value of the NetworkInterface object from Network Controller
Set-SdnVMNetworkAdapterPortProfile -VMName 'Contoso-VM1' -MacAddress 001DD8B71C16 -ProfileId 6b798741-5583-4fb5-a96e-a2eaf9a7ff8eCheck the VFP port state of the resource. This may include useful statistics related to port that is associated with the virtual network adapter, such as Bytes Sent/Received and Ingress/Egress counters. If you see an equal amount of traffic in/out, then it's an indication that traffic is flowing from a datapath perspective.
Get-SdnVfpVmSwitchPort -PortName CBCCB203-5576-4070-B1F1-B84E2F83CAF6Make sure the port is not blocked. You can enumerate the port state by using
Get-SdnVfpPortState -PortName CBCCB203-5576-4070-B1F1-B84E2F83CAF6If you see Blocked:True within the output, try and restart NcHostAgent service to see if that resolves the issue.
Restart-Service -Name NcHostAgent -ForceIf you made any changes in this section, you will want to re-check the configurationState of the network interface using the steps from Validate Control Plane to re-query the NB API.
Your virtual machine and corresponding operating system typically have no knowledge they are hosted on a hypervisor platform. This is critical to keep in mind, as normal boot operations such as DHCP are important for SDN to provide the appropriate network configuration to the guest OS. Post boot, the client OS should perform DORA as part of DHCP. In this scenario, a DHCP Proxy acts as a DHCP server within the vSwitch to perform the DORA process and provide the guest OS an IP address, in conjunction with other related configuration settings via DHCP Options.
See RFC 2131 for more details on DHCP.
- Ensure that the guest OS is fully booted and operational. If not, then troubleshoot the guest OS.
- Verify that the network interface within the guest OS is set to Dynamic (DHCP)
- Like Azure, you should not configure a static IP address within the virtual machine OS, unless for specific reasons. Even then, there are considerations that must be followed. See Configure IP addresses for an Azure network interface for additional guidance.
- Verify that the IP address is configured for the network adapter within the OS
- Ensure there are no firewall or anti-virus rules that would be blocking traffic