AzStackHci.DiagnosticSettings

Author(s)

• Microsoft Corporation

Tags

Microsoft AzStackHci Diagnostic Settings Connectivity AzureLocal

Functions

Get-AzStackHciMemoryDumpSettings Set-AzStackHciMemoryDumpSettings Restore-AzStackHciMemoryDumpSettings Get-AzStackHciPageFileSettings Restore-AzStackHciPageFileSettings Set-AzStackHciPageFileSettings Set-AzStackHciPageFileSettingsMinimal Get-AzStackHciUserModeCrashDumpSettings Set-AzStackHciUserModeCrashDumpSettings Restore-AzStackHciUserModeCrashDumpSettings Test-AzStackHciSSLInspection Send-ClusterPerformanceHistory Test-AzureLocalConnectivity Test-Layer7Connectivity Test-TCPConnectivity Get-AzStackHciOsConfigSettings Test-ArcMachinePrivateLinkScopeEnabled

PSEditions

Desktop Core

Dependencies

This module has no dependencies.

Release Notes

## v0.6.6

### Test-AzureLocalConnectivity — longer initial timeout + single retry with extended timeout for slow-responding endpoints
- Initial timeout raised from 60 s -> 90 s ($script:HTTP_TIMEOUT_INITIAL_SEC). Some Azure data-plane endpoints (notably guestnotificationservice.azure.com/urls/allowlist?...) can legitimately take longer than 60 seconds to respond, especially on slow links or proxied paths.
- Test-Layer7Connectivity now performs a single retry with an extended timeout ($script:HTTP_TIMEOUT_RETRY_SEC, default 120 seconds) when the first attempt returns exactly "The operation has timed out.". Gated by: one retry per endpoint, only on the first request (not redirected hops). No per-run budget cap, so customers on a uniformly slow link still get every endpoint a fair chance on the second attempt. The 'DNS resolved or proxy in path' precondition is implicit — .NET only emits that exact message after the connection has already been initiated.
- On retry success, Layer7Response is annotated with " (succeeded on retry @ 120s)" so the slow-path success is visible in the output.

### Test-AzureLocalConnectivity — fix "Collection was modified" enumeration crash when CRL/OCSP rows appended
- Fixed: when the new CRL/OCSP-unreachable classification fired during the main endpoint loop, Add-CrlDependencyRowToResults appended new dependency rows to $script:Results while it was still being enumerated by `ForEach ($urlObj in $script:Results)`, throwing "Collection was modified; enumeration operation may not execute." and aborting the test run. The main loop now enumerates a snapshot (`@($script:Results)`); newly-appended rows have Layer7Status="" and are still picked up by the existing remaining-URLs loop later in the run.

### Test-AzureLocalConnectivity — fix "AllowAutoRedirect" certificate-detail errors caused by name collision with AzStackHci.EnvironmentChecker
- Fixed regression triggered by AzStackHci.EnvironmentChecker 10.2509+: every HTTPS endpoint was reporting "Error processing certificate details for '<url>': A parameter cannot be found that matches parameter name 'AllowAutoRedirect'". Root cause: EnvironmentChecker now exports a public function named Get-SslCertificateChain (different parameter set, no -AllowAutoRedirect), and our Get-AzStackHciEnvironmentCheckerModule helper Import-Module'd it without -Global, so EnvironmentChecker's exported function shadowed our private helper of the same name inside our module's session state. Result: every HTTPS endpoint had empty certificate Subject/Issuer/Thumbprint columns in the output.
- Two-part fix: (1) renamed our private helper from Get-SslCertificateChain to Get-AzSHciSslCertificateChain so the names can no longer collide; (2) Get-AzStackHciEnvironmentCheckerModule now uses Import-Module -Global so EnvironmentChecker's exported functions land in the global session state instead of being injected into our module's scope (defence-in-depth for any future same-name collisions).

### Test-AzureLocalConnectivity — re-initialize CRL/OCSP-offline state per call
- Fixed: $script:CRLOfflineURLs was only initialized once at module import (in Initialize-ModuleState), so calling Test-AzureLocalConnectivity twice in the same PowerShell session would leak stale CRL/OCSP-offline URLs from the previous run into the new run's CRITICAL summary block. The ArrayList is now re-initialized at the top of Test-AzureLocalConnectivity alongside $script:SSLInspectedURLs, matching the pattern used by all other per-run state.

### Test-AzureLocalConnectivity — CRL/OCSP vs. SSL Inspection classification
- Fixed false positive: endpoints with a trusted certificate chain but an offline revocation check (CRL / OCSP endpoint unreachable) were incorrectly flagged as "SSL Inspection detected". Now classified as a distinct "CRL/OCSP unreachable" failure mode with its own summary block and clear remediation steps.
- Get-Layer7CertificateDetails performs a revocation-independent X509Chain build when Test-Certificate fails. If the chain is trusted locally and the captured chain status contains a revocation-offline token (RevocationStatusUnknown / OfflineRevocation / CERT_TRUST_REVOCATION_STATUS_UNKNOWN / CERT_TRUST_IS_OFFLINE_REVOCATION), the endpoint is reclassified. Otherwise the legacy SSL-Inspection path still fires.
- Parent endpoint row stays Failed (so the red badge isn't lost), Layer7Response now reads "(200) OK - CRL/OCSP unreachable [CRL: ..., OCSP: ...]" with the actual revocation URLs appended from the leaf certificate extensions.
- Suppressed Test-Certificate native `WARNING: Chain status:` output via -WarningAction SilentlyContinue (chain status is still captured via -ErrorVariable for classification).

### Test-AzureLocalConnectivity — CRL/OCSP endpoints added as first-class test rows
- When an endpoint is classified as CRL/OCSP unreachable, Test-AzureLocalConnectivity now extracts up to 1 CRL Distribution Point + 1 OCSP responder URL from the leaf certificate's X.509 extensions (OIDs 2.5.29.31 and 1.3.6.1.5.5.7.1.1 respectively) and appends them to $script:Results as dedicated rows on port 80. These rows are tested by the existing remaining-URLs loop, so the output tree makes the dependency failure actionable: parent HTTPS endpoint -> child http://crl*.ca/... row with its own Pass/Fail.
- New helper Get-CertRevocationEndpoints parses both extensions and filters out non-http schemes (e.g. ldap://).
- New helper Add-CrlDependencyRowToResults uses a two-tier dedupe strategy:
 - OCSP rows: host-level dedupe against $script:Results (single-host protocol).
 - CRL rows: exact-URL dedupe (different .crl paths on the same host can be independently blocked by path-based proxy filtering). When multiple parent endpoints share the same CRL URL, the row's Source field is extended to list all parent domains rather than duplicating the row.
- Caps via $script:CRL_MAX_DP_PER_CERT=1 and $script:CRL_MAX_OCSP_PER_CERT=1 keep the result table compact even for certs that list many distribution points.

### Test-AzureLocalConnectivity — console output fixes
- Fixed hardcoded message: "Please check the CSV file for detailed information" now correctly reads "See the <OutputFormat> output file for detailed information" (honours the actual -OutputFormat, default HTML).
- Fixed a second hardcoded CSV-specific string in Publish-Results: the tail summary line "...review the CSV file listed below" now also honours -OutputFormat and reads "...see the <OutputFormat> output file listed below".
- New CRITICAL console summary block for CRL/OCSP unreachable endpoints: correlates each parent HTTPS URL with the auto-generated CRL/OCSP dependency rows added for it, showing the tested status of each dependency next to the parent URL so the customer can immediately see which specific port-80 URLs their firewall/proxy is blocking.

### Test-AzureLocalConnectivity — -PassThru now exposes DownloadSpeed
- The -PassThru switch now attaches a DownloadSpeed NoteProperty to the returned results collection, so callers can retrieve the measured speed programmatically without having to parse the JSON output file. Example: $r = Test-AzureLocalConnectivity -PassThru; $r.DownloadSpeed.
- The return is wrapped with the comma operator (return ,$script:Results) to prevent PowerShell from auto-unrolling the ArrayList; enumeration, .Count, and indexing behaviour are unchanged for existing callers.

### Invoke-UploadDiagnosticResults — context-aware upload message
- Invoke-UploadDiagnosticResults now accepts a -Context parameter (default 'Connectivity Test results') and interpolates it into the "Sending the <Context> information to Microsoft..." console message. The OS-config caller (Get-AzStackHciOsConfigSettings) now passes -Context 'OS configuration data results', so the previously misleading "Sending the Connectivity Test results information to Microsoft..." wording no longer appears during OS-config uploads.

### State & constants
- New $script:CRLOfflineURLs ArrayList tracks CRL/OCSP-offline endpoints separately from $script:SSLInspectedURLs so the two summary blocks don't conflate.
- New constants: CERT_CHAIN_STATUS_REVOCATION_OFFLINE (token list), CRL_DP_OID, AIA_OID, CRL_MAX_DP_PER_CERT, CRL_MAX_OCSP_PER_CERT.

### Unit tests
- Added "CRL/OCSP offline vs SSL Inspection classification" Describe block: verifies revocation-only failures go to $script:CRLOfflineURLs (not $script:SSLInspectedURLs), untrusted chains still hit the legacy SSL-Inspection path, Get-CertRevocationEndpoints correctly parses CRL DP / AIA / ldap-filtering, and Add-CrlDependencyRowToResults dedupes OCSP by host + CRL by exact URL (with Source aggregation for shared URLs).

For full version history (including v0.6.5 and earlier) see CHANGELOG.md shipped with this module.