Network health script.

Author: princepereira

scripts/networkhealth/README.md

@@ -35,4 +35,30 @@ If the `-OutputMode` is set to `Event` or `All`, the script will register a new
     Example:
     kubectl logs -l name=networkhealth --all-containers=true >> networkhealth.txt
     Provide the generated networkhealth.txt
+```
+## Command to run startNetworkDiagnostics
+```
+Normal Execution: .\startNetworkDiagnostics.ps1 -TimeIntervalInSeconds 30 -PrintMatchedRules $true -PodNamePrefixes tcp-server,tcp-client
+
+Execution with DNS Packet Capture: .\startNetworkDiagnostics.ps1 -DnsPktCap $true
+
+Execution with DualStack Test: .\startNetworkDiagnostics.ps1 -DualStack $true
+
+Execution with Vfp Rule Counter Dump for Pods : .\startNetworkDiagnostics.ps1 -PodNamePrefixes tcp-client,tcp-server
+
+Execution with printing matched rule counter : .\startNetworkDiagnostics.ps1 -PodNamePrefixes tcp-client,tcp-server -PrintMatchedRules $true
+
+Execution with validate loadbalancer rules for Service IPS : .\startNetworkDiagnostics.ps1 -ServiceIPS "10.0.0.1,10.0.0.2"
+
+```
+
+## Command to run vfpDropCounterMetrics
+```
+.\vfpDropCounterMetrics.ps1 -TimeIntervalInSeconds 30 -PrintMatchedRules $true -PodNamePrefixes tcp-server,tcp-client
+```
+
+## DNS Health Check
+```
+Invoke-WebRequest https://raw.githubusercontent.com/microsoft/wcnscripts/2ea829ebaaf523cf58ef8e64120e54849eb4bd51/scripts/networkhealth/startNetworkDiagnostics.ps1 -OutFile startNetworkDiagnostics.ps1
+.\startNetworkDiagnostics.ps1
 ```

scripts/networkhealth/RuleDump.ps1

@@ -0,0 +1,158 @@
+
+param (
+    [Parameter(Mandatory=$false, HelpMessage="Rule for Pod")][string]$podIp = "10.224.0.53",
+    [Parameter(Mandatory=$false, HelpMessage="Rule for Pod")][string]$ipFamily = "IPV4",
+    [Parameter(Mandatory=$false, HelpMessage="Rule for Pod")][string]$protoFamily = "TCP",
+    [Parameter(Mandatory=$false, HelpMessage="Rule for Pod")][bool]$PrintMatchedRules = $true
+)
+
+
+$podMac = (Get-HnsEndpoint | Where-Object IPAddress -Eq $podIp).MacAddress
+$podMacShortened = $podMac.Replace("-", "")
+$PodPortId = ((vfpctrl /list-vmswitch-port /format 1 | ConvertFrom-Json).Ports | Where-Object MacAddress -EQ $podMacShortened).Name
+$ExtPortId = ((vfpctrl /list-vmswitch-port /format 1 | ConvertFrom-Json).Ports | Where-Object Id -EQ "ExternalPort").Name
+$HostPortId = ((vfpctrl /list-vmswitch-port /format 1 | ConvertFrom-Json).Ports | Where-Object Id -Like "Container NIC*").Name
+
+$podLayers = ((vfpctrl /port $PodPortId /list-layer /format 1 | ConvertFrom-Json).Layers | Sort-Object -Property Priority).Name
+$extPortLayers = ((vfpctrl /port $ExtPortId /list-layer /format 1 | ConvertFrom-Json).Layers | Sort-Object -Property Priority).Name
+$hostPortLayers = ((vfpctrl /port $HostPortId /list-layer /format 1 | ConvertFrom-Json).Layers | Sort-Object -Property Priority).Name
+
+function RemoveNoise() {
+    param (
+        [Parameter(Mandatory=$true)][System.Object]$Rule
+    )
+    $Rule.PSObject.Properties.Remove('$type')
+    $Rule.PSObject.Properties.Remove('Type')
+    $Rule.PSObject.Properties.Remove('SubType')
+    $Rule.PSObject.Properties.Remove('MssDelta')
+    $Rule.PSObject.Properties.Remove('ReverseMssDelta')
+    $Rule.PSObject.Properties.Remove('RuleFlags')
+    $Rule.PSObject.Properties.Remove('PaRouteRuleFlags')
+    $Rule.PSObject.Properties.Remove('CachePruningThreshold')
+    $Rule.PSObject.Properties.Remove('InformationArray')
+    $Rule.PSObject.Properties.Remove('NumHeaders')
+    $Rule.PSObject.Properties.Remove('PartialRewriteTypes')
+    return $Rule
+}
+
+function LogVfpCounter {
+    param (
+        [parameter(Mandatory=$false)][string] $value = "",
+        [parameter(Mandatory=$false)][bool] $error = $false
+    )
+    # Add-Content -Path $VfpRuleFile -Value $value
+    if ($error -eq $true) {
+        Write-Host $value -ForegroundColor Red
+    }
+    else {
+        Write-Host $value
+    }
+
+}
+
+function NewLine {
+    param (
+        [parameter(Mandatory=$false)][int] $NoOfLines = 1
+    )
+    for ($i = 1; $i -le $NoOfLines; $i++) {
+        LogVfpCounter ""
+    }
+}
+
+function PrintRules {
+    param (
+        [Parameter(Mandatory=$true)][string[]]$Layers,
+        [Parameter(Mandatory=$true)][string]$PortId,
+        [Parameter(Mandatory=$false)][string]$Dir="OUT"
+    )
+
+    $ruleCounterMap = @{}
+
+    foreach($layer in $Layers) {
+        $groups = ((vfpctrl /port $PortId /layer $layer /list-group /format 1 | ConvertFrom-Json).Groups | Sort-Object -Property Priority).Name
+        foreach($group in $groups) {
+            if($group.Contains("_$DIR") -ne $true) {
+                continue
+            }
+            if(($group.Contains("IPV4") -eq $true) -or ($group.Contains("IPV6") -eq $true)) {
+                if($group.Contains($ipFamily) -ne $true) {
+                    continue
+                }
+            }
+            if(($group.Contains("TCP") -eq $true) -or ($group.Contains("UDP") -eq $true) -or ($group.Contains("ICMP") -eq $true)) {
+                if($group.Contains($protoFamily) -ne $true) {
+                    continue
+                }
+            }
+            $rules = (vfpctrl /port $PortId /layer $layer /group $group /get-rule-counter /format 1 | ConvertFrom-Json | Sort-Object -Property Priority).Rules
+            foreach ($rule in $rules) {
+
+                $ruleId = $rule.Name
+                if (($rule.Id).Length -gt 0) {
+                    $ruleId = $rule.Id
+                }
+
+                $ruleKey = "$portId-$layer-$group-$ruleId"
+
+                $informationArray = $rule.InformationArray
+
+                $rule = RemoveNoise -Rule $rule
+
+                if ($informationArray.Count -gt 0) {
+                    $rule | Add-Member -MemberType NoteProperty -Name RuleCounters -Value $informationArray[0].RuleCounters
+                }
+
+                $ruleJson = $rule | ConvertTo-Json -Depth 10
+
+                if ($informationArray.Count -gt 0) {
+
+                    $ruleCounters = $informationArray[0].RuleCounters
+                    $matchedPackets = $ruleCounters.MatchedPackets
+                    $droppedPackets = $ruleCounters.DroppedPackets
+                    $pendingPackets = $ruleCounters.PendingPackets
+                    $droppedFlows = $ruleCounters.DroppedFlows
+
+                    if (($droppedPackets -gt 0) -or ($pendingPackets -gt 0) -or ($droppedFlows -gt 0)) { 
+                        LogVfpCounter "  Dropped Rule : " -error $true
+                        LogVfpCounter "  ================ " -error $true
+                        NewLine 1
+                        LogVfpCounter "  Layer : $layer , Group : $group , Id : $ruleId " -error $true
+                        NewLine 1
+                        LogVfpCounter "  $ruleJson " -error $true                                    
+                        NewLine 2
+                    }
+                    elseif (($PrintMatchedRules -eq $true) -and ($matchedPackets -gt 0)) {   
+                        LogVfpCounter "  Matched Rule : "
+                        LogVfpCounter "  ================ "
+                        NewLine 1
+                        LogVfpCounter "  Layer : $layer , Group : $group , Id : $ruleId "
+                        NewLine 1
+                        LogVfpCounter "  $ruleJson "
+
+                        NewLine 2
+                    }
+
+                    $ruleCounterMap[$ruleKey] = $rule
+                }
+            }
+        }
+    }
+
+    return $ruleCounterMap
+}
+
+Write-Host "#===================== Pod VFP Port Rules in Outbound Direction ================#"
+NewLine 2
+$podPortRulesOutbound = PrintRules -Layers $podLayers -portId $PodPortId -Dir "OUT"
+NewLine 2
+Write-Host "#===================== External VFP Port Rules in Outbound Direction ================#"
+NewLine 2
+$extPortRulesOutbound = PrintRules -Layers $extPortLayers -portId $ExtPortId -Dir "OUT"
+NewLine 2
+Write-Host "#===================== External VFP Port Rules in Inbound Direction ================#"
+NewLine 2
+$extPortRulesIntbound = PrintRules -Layers $extPortLayers -portId $ExtPortId -Dir "IN"
+NewLine 2
+Write-Host "#===================== Pod VFP Port Rules in Inbound Direction ================#"
+NewLine 2
+$podPortRulesIutbound = PrintRules -Layers $podLayers -portId $PodPortId -Dir "IN"

scripts/networkhealth/checkLbDsrMissing.ps1

@@ -0,0 +1,84 @@
+param (
+    [Parameter(Mandatory=$true)][string]$ServiceIPS = "",
+    [Parameter(Mandatory=$false)][string]$RunFromOutside = $false,
+    [Parameter(Mandatory=$false)][string]$CopyScriptToNode = $false,
+    [Parameter(Mandatory=$false)][string]$HpcPodPrefix = "hpc",
+    [Parameter(Mandatory=$false)][string]$HpcNamepsace = "demo",
+    [Parameter(Mandatory=$false)][string]$Layer = "LB_DSR",
+    [Parameter(Mandatory=$false)][string]$Group = "LB_DSR_IPv4_OUT"
+)
+
+# Eg: .\checkLbDsrMissing.ps1 -ServiceIPS "20.51.25.211,10.0.10.189,10.0.92.4"
+
+$Logfile = "health.log"
+
+function LogError {
+    param (
+        [parameter(Mandatory=$true)][string] $message
+    )
+    Write-Host $message -ForegroundColor Red
+    Add-content $Logfile -value "[FAILED] $message"
+}
+
+function LogSuccess {
+    param (
+        [parameter(Mandatory=$true)][string] $message
+    )
+    Write-Host $message -ForegroundColor Green
+    Add-content $Logfile -value "[SUCCESS] $message"
+}
+
+function CheckLbDsrRuleMissing {
+
+    Write-Host "Checking $Layer Rule missing"
+    $lbDsrRuleMissing = $false
+
+    $serviceIPList = $ServiceIPS.Split(",")
+
+    $portNameList = vfpctrl /list-vmswitch-port | sls "Port name"
+
+    foreach($portName in $portNameList) {
+	    $portId = $portName.ToString().Split(":")[1].Trim()
+	    $entries = vfpctrl /port $portId /layer $Layer /list-group
+	    if($entries.Count -le 8) {
+		    continue
+	    }
+	    foreach($serviceIP in $serviceIPList) {
+		    $entries = vfpctrl /port $portId /layer $Layer /group $Group /list-rule | sls $serviceIP
+		    if($entries.Count -le 1) {
+			    LogError "VFP $Layer Rule missing for Service IP :  $serviceIP in VFP Port : $portName"
+                $lbDsrRuleMissing = $true
+		    } else {
+			    LogSuccess "VFP $Layer Rule present for Service IP :  $serviceIP in VFP Port : $portName"
+		    }
+	    }
+    }
+
+    if($lbDsrRuleMissing){
+        LogError "Mitigation : Restart-Service -f kubeproxy "
+        return
+    }
+
+    LogSuccess "No issues identified with $Layer Rule Missing for Service IPS : $ServiceIPS."
+}
+
+function ExecFromOutside {
+    $hpcPods = kubectl get pods -n $HpcNamepsace | sls $HpcPodPrefix
+    if($CopyScriptToNode -eq $true) {
+        foreach($hpcPod in $hpcPods) {
+            $podId = $hpcPod.ToString().Split(" ")[0].Trim()
+            Write-Host "Copying script to $podId"
+            kubectl cp .\checkLbDsrMissing.ps1 "$podId`:`checkLbDsrMissing.ps1" -n $HpcNamepsace
+        }
+    }
+    foreach($hpcPod in $hpcPods) {
+	    $podId = $hpcPod.ToString().Split(" ")[0].Trim()
+	    kubectl exec -it $podId -n $HpcNamepsace -- powershell ".\checkLbDsrMissing.ps1 -ServiceIPS '$ServiceIPS' -Layer $Layer -Group $Group"
+    }
+}
+
+if($RunFromOutside -eq $true) {
+    ExecFromOutside
+}
+
+CheckLbDsrRuleMissing

scripts/networkhealth/checkPortExhaustion.ps1

@@ -0,0 +1,110 @@
+$Logfile = ".\health.log"
+$minThreshold = 50
+
+function LogMessage {
+    param (
+        [parameter(Mandatory=$true)][string] $message
+    )
+    Add-content $Logfile -value "$message"
+}
+
+function CountAvailableEphemeralPorts([string]$protocol = "TCP") {
+
+    [uint32]$portRangeSize = 64
+    # First, remove all the text bells and whistle (plain text, table headers, dashes, empty lines, ...) from netsh output 
+    $tcpRanges = (netsh int ipv4 sh excludedportrange $protocol) -replace "[^0-9,\ ]", '' | ? { $_.trim() -ne "" }
+ 
+    # Then, remove any extra space characters. Only capture the numbers representing the beginning and end of range
+    $tcpRangesArray = $tcpRanges -replace "\s+(\d+)\s+(\d+)\s+", '$1,$2' | ConvertFrom-String -Delimiter ","
+    #Convert from PSCustomObject to Object[] type
+    $tcpRangesArray = @($tcpRangesArray)
+    
+    # Extract the ephemeral ports ranges
+    $EphemeralPortRange = (netsh int ipv4 sh dynamicportrange $protocol) -replace "[^0-9]", '' | ? { $_.trim() -ne "" }
+    $EphemeralPortStart = [Convert]::ToUInt32($EphemeralPortRange[0])
+    $EphemeralPortEnd = $EphemeralPortStart + [Convert]::ToUInt32($EphemeralPortRange[1]) - 1
+
+    # Find the external interface
+    $externalInterfaceIdx = (Get-NetRoute -DestinationPrefix "0.0.0.0/0")[0].InterfaceIndex
+    $hostIP = (Get-NetIPConfiguration -ifIndex $externalInterfaceIdx).IPv4Address.IPAddress
+
+    # Extract the used TCP ports from the external interface
+    $usedTcpPorts = (Get-NetTCPConnection -LocalAddress $hostIP -ErrorAction Ignore).LocalPort
+    $usedTcpPorts | % { $tcpRangesArray += [pscustomobject]@{P1 = $_; P2 = $_ } }
+
+    # Extract the used TCP ports from the 0.0.0.0 interface
+    $usedTcpGlobalPorts = (Get-NetTCPConnection -LocalAddress "0.0.0.0" -ErrorAction Ignore).LocalPort
+    $usedTcpGlobalPorts | % { $tcpRangesArray += [pscustomobject]@{P1 = $_; P2 = $_ } }
+    # Sort the list and remove duplicates
+    $tcpRangesArray = ($tcpRangesArray | Sort-Object { $_.P1 } -Unique)
+
+    $tcpRangesList = New-Object System.Collections.ArrayList($null)
+    $tcpRangesList.AddRange($tcpRangesArray)
+
+    # Remove overlapping ranges
+    for ($i = $tcpRangesList.P1.Length - 2; $i -gt 0 ; $i--) { 
+        if ($tcpRangesList[$i].P2 -gt $tcpRangesList[$i + 1].P1 ) { 
+            $tcpRangesList.Remove($tcpRangesList[$i + 1])
+            $i++
+        } 
+    }
+
+    # Remove the non-ephemeral port reservations from the list
+    $filteredTcpRangeArray = $tcpRangesList | ? { $_.P1 -ge $EphemeralPortStart }
+    $filteredTcpRangeArray = $filteredTcpRangeArray | ? { $_.P2 -le $EphemeralPortEnd }
+    
+    if ($null -eq $filteredTcpRangeArray) {
+        $freeRanges = @($EphemeralPortRange[1])
+    }
+    else {
+        $freeRanges = @()
+        # The first free range goes from $EphemeralPortStart to the beginning of the first reserved range
+        $freeRanges += ([Convert]::ToUInt32($filteredTcpRangeArray[0].P1) - $EphemeralPortStart)
+
+        for ($i = 1; $i -lt $filteredTcpRangeArray.length; $i++) {
+            # Subsequent free ranges go from the end of the previous reserved range to the beginning of the current reserved range
+            $freeRanges += ([Convert]::ToUInt32($filteredTcpRangeArray[$i].P1) - [Convert]::ToUInt32($filteredTcpRangeArray[$i - 1].P2) - 1)
+        }
+
+        # The last free range goes from the end of the last reserved range to $EphemeralPortEnd
+        $freeRanges += ($EphemeralPortEnd - [Convert]::ToUInt32($filteredTcpRangeArray[$filteredTcpRangeArray.length - 1].P2))
+    }
+    
+    # Count the number of available free ranges
+    [uint32]$freeRangesCount = 0
+    ($freeRanges | % { $freeRangesCount += [Math]::Floor($_ / $portRangeSize) } )
+
+    return $freeRangesCount
+}
+
+function CheckPortExhaustion {
+    Write-Host "Checking Port Exhaustion"
+    $avTcpPorts = CountAvailableEphemeralPorts -protocol TCP
+    if($avTcpPorts -lt $minThreshold) {
+        $message = "Available TCP ports are $avTcpPorts. Port exhaustion suspected."
+        Write-Host "$message" -ForegroundColor Red
+        LogMessage -message $message
+        return $true
+    }
+    $avUdpPorts = CountAvailableEphemeralPorts -protocol UDP
+    if($avTcpPorts -lt $minThreshold) {
+        $message = "Available UDP ports are $avUdpPorts. Port exhaustion suspected."
+        Write-Host "$message" -ForegroundColor Red
+        LogMessage -message $message
+        return $true
+    }
+    Write-Host "Available TCP Ports :  $avTcpPorts , UDP Ports : $avUdpPorts . No port exhaustion suspected." -ForegroundColor Green
+    return $false
+}
+
+$i = 0
+Remove-Item $Logfile -ErrorAction Ignore
+
+While($true) {
+    $i++
+    Write-Host "#============== Iteration : $i"
+    if(CheckPortExhaustion) {
+        Write-Host "DNS Issue Found." -ForegroundColor Red
+    }
+    Start-Sleep -Seconds 10
+}