All Products
Search

This Product

    Express Connect:Troubleshooting

    Document Center

    Express Connect:Troubleshooting

    Last Updated:Dec 07, 2023

    This topic describes how to troubleshoot connection issues between an on-premises data center and an Elastic Compute Service (ECS) instance in a Virtual Private Cloud (VPC).

    Background information

    Perform the following steps:

    1. Diagnose network routing issues.

    2. Diagnose issues at Layer 3 and Layer 4.

    3. Diagnose issues at Layer 2.

    4. Diagnose issues at Layer 1.

    Diagnose network routing issues

    If a Border Gateway Protocol (BGP) peering session is established between a VBR and VPC, and you can use the on-premises device to ping the IP address of the VBR, but your on-premises server and ECS instance in the VPC cannot communicate with each other, perform the following steps to troubleshoot the issue:

    • If you use Express Connect peering connections to connect your on-premises data center to the VPC, check the status of the health check for the connection between the VBR and the VPC.

    • If you use Cloud Enterprise Network (CEN) to connect your on-premises data center to the VPC, check the status of the health check for VBRs on the CEN instance.

    • If you use BGP routing, make sure that the on-premises gateway advertised your on-premises CIDR block over BGP.

    • Make sure that no more than 110 BGP route entries are advertised. Excess advertised route entries are discarded, but BGP peering sessions can still be established.

    • Make sure that your on-premises gateway has a route in the route table that maps the on-premises gateway to the VPC. The next hop is the IP address of the VBR.

    • Make sure that your VBR route table has a route that maps the VBR to the CIDR block of the on-premises data center. The next hop is the physical connection interface.

    • Make sure that your VBR route table has a route that maps the VBR to the VPC. The next hop is the ID of the VPC instance.

    • Make sure that your VPC route table has a route that maps the VPC to the CIDR block of the on-premises data center. The next hop is the VBR.

    • Make sure that you configured your ECS security group and network access control list (ACL) to allow inbound and outbound network traffic transmitted between the VPC and your on-premises data center.

    If the issue persists, submit a ticket.

    Diagnose issues at Layer 3 and Layer 4

    After you send ping packets to the VBR, the on-premises gateway and the VBR can communicate with each other, but the on-premises BGP peering session cannot be established. To resolve this issue, perform the following steps:

    1. Make sure that you configured a valid on-premises autonomous system number (ASN) and Alibaba Cloud ASN for BGP routing.

    2. Make sure that you correctly configured the peering IP addresses at both ends of the BGP peering session.

    3. Make sure that you configured your MD5 authentication key and the key exactly matches the key in the downloaded router configuration file.

      Note

      Check for extra spaces or characters.

    4. Make sure that no firewalls or ACL rules block either TCP port 179 or temporary TCP port numbers that are greater than 1024. These ports are required for BGP peers to establish TCP connections.

    5. Check your BGP logs for errors or warnings.

    If BGP peering sessions still cannot be established, submit a ticket.

    Diagnose issues at Layer 2

    The indicator of the on-premises gateway shows that the gateway is in the normal state, but you cannot use the on-premises gateway device to ping the IP address of the VBR. To resolve this issue, perform the following steps:

    1. Check whether you configured valid IP addresses. Make sure that the IP addresses belong to the same CIDR block and are in a valid VLAN.

    2. Make sure that you configured the IP addresses in a VLAN subinterface such as GigabitEthernet 0/0.123 instead of a physical interface such as GigabitEthernet 0/0.

    3. Check whether the router has MAC address entries from the VBR node in the cloud in your Address Resolution Protocol (ARP) table.

    4. Make sure that VLAN trunking is enabled for your 802.1Q VLAN tag on all devices between the VBR in the cloud and the on-premises gateway.

    5. Clear the ARP table cache of your on-premises devices and your connectivity provider.

    If ARP communication still cannot be established or ping packets cannot be sent to the VBR in the cloud, submit a ticket.

    Diagnose issues at Layer 1

    If the indicator of the on-premises gateway that is connected to the leased line is off, perform the following steps:

    1. Check whether the customer-premises equipment (CPE) of the on-premises data center is enabled and the port is activated.

    2. Confirm with your connectivity provider whether a VBR-to-VPC peering connection is established, and require the provider to provide a Proof of Completion and a connectivity test report.

    3. Check whether the optical modules at both ends of the leased line run in the normal state.

      • Check whether the optical modules support the same transmission distance. If the optical modules do not support the same transmission distance, the port indicator is unable to turn on.

      • Check whether the optical modules support the same bandwidth. If the optical modules do not support the same bandwidth, the port indicator is off.

      • To enable optical fiber connections, you must use single-mode optical modules, such as 1000Base-LX for 1 GB Ethernet, 10GBase-LR for 10 GB Ethernet, 40GBase-LR for 40 GB Ethernet, and 100GBase-LR for 100 GB Ethernet. You can use the optical modules to connect to Alibaba Cloud. You must configure the same parameters for the optical modules on both ends.

    4. Check whether you have disabled the auto-negotiation feature on the CPE and have manually configured the port rate and full duplex mode.

      The auto-negotiation feature is automatically enabled for most network devices that are available, such as Juniper. You need to manually disable the feature.

    5. Contact the connectivity provider to complete the leased line segmentation tests.

      • Contact the connectivity provider or on-premises data center provider to conduct in-building cable tests between the optical distribution frames (ODF) and the on-premises access devices. If a loop test is required, conduct fiber optic loopback tests in the building.

      • Contact the connectivity provider to test the connection from the on-premises data center to the gateway on the connectivity provider site. If a loop test is required, conduct fiber optic loopback tests in the building.

      • The connectivity provider contacts the service provider to complete internal network link tests.

      • Contact the connectivity provider and test the in-building cable between ODF and the Alibaba Cloud access devices in the on-premises data center in which the Alibaba access point is deployed.

      • To test the pigtail cable, submit a ticket.

      For information about the actual topology, contact your connectivity provider.