VPN gateways support the quick diagnostics feature that can be used to detect anomalies of VPN connections. The anomalies include configuration errors, quota issues, route conflicts, and network connectivity issues. This feature allows you to locate the cause of a VPN connection failure and troubleshoot the failure.

Prerequisites

  • The quick diagnostics feature is available for only users that are included in the whitelist. If you are not included in the whitelist but want to use the feature,submit a ticket.
  • A VPN gateway is created and an IPsec-VPN connection is created for the VPN gateway before you enable the quick diagnostics feature. For more information, see Create a VPN gateway and Create an IPsec-VPN connection.

Background information

You can use this feature to diagnose IPsec-VPN connections. However, it cannot be used to diagnose SSL-VPN connections. This feature allows you to diagnose the following items.
Item Description
Quota of IPsec-VPN connections supported by a VPN gateway The system checks the number of IPsec-VPN connections created for a specified VPN gateway and the quota of IPsec-VPN connections supported by each VPN gateway under your Alibaba Cloud account. Then, the system calculates the ratio of created IPsec-VPN connections to the quota supported by each VPN gateway.
  • If the ratio is no greater than 80%, the diagnostic result is normal.
  • If the ratio is greater than 80%, the diagnostic result is warning.
For example, the quota of IPsec-VPN connections supported by your VPN gateway is 10:
  • If you have created eight IPsec-VPN connections for the VPN gateway, the diagnostic result of this item is normal.
  • If you have created nine IPsec-VPN connections for the VPN gateway, the diagnostic result of this item is warning.
Note By default, each VPN gateway supports at most 10 IPsec-VPN connections.

To increase the quota, go to the Quota Management page. For more information, see Manage quotas.

Quota of policy-based routes supported by a VPN gateway The system checks the number of policy-based routes created for a specified VPN gateway and the quota of policy-based routes supported by each VPN gateway under your Alibaba Cloud account. Then, the system calculates the ratio of created policy-based routes to the quota supported by each VPN gateway.
  • If the ratio is not greater than 80%, the diagnostic result is normal.
  • If the ratio is greater than 80%, the diagnostic result is warning.
For example, the quota of policy-based routes supported by your VPN gateway is 20:
  • If you have created 16 policy-based routes for the VPN gateway, the diagnostic result of this item is normal.
  • If you have created 17 policy-based routes for the VPN gateway, the diagnostic result of this item is warning.
Note By default, each VPN gateway supports up to 20 policy-based routes.

To increase the quota, go to the Quota Management page. For more information, see Manage quotas.

Quota of destination-based routes supported by a VPN gateway The system checks the number of destination-based routes created for a specified VPN gateway and the quota of destination-based routes supported by each VPN gateway under your Alibaba Cloud account. Then, the system calculates the ratio of created destination-based routes to the quota supported by each VPN gateway.
  • If the ratio is no greater than 80%, the diagnostic result is normal.
  • If the ratio is greater than 80%, the diagnostic result is warning.
For example, the quota of destination-based routes supported by your VPN gateway is 20:
  • If you have created 16 destination-based routes for the VPN gateway, the diagnostic result of this item is normal.
  • If you have created 17 destination-based routes for the VPN gateway, the diagnostic result of this item is warning.
Note By default, each VPN gateway supports at most 20 destination-based routes.

To increase the quota, go to the Quota Management page. For more information, see Manage quotas.

Route conflicts The system checks a specified IPsec-VPN connection route and determines whether the route conflicts with any route in the route table of a specified VPN gateway. An IPsec-VPN connection route is a route whose next hop is an IPsec-VPN connection.
  • If the destination CIDR block of the IPsec-VPN connection route is different from and does not overlap with the destination CIDR blocks of the routes in the route table, the diagnostic result is normal.
  • If the destination CIDR block of a route in the route table is the same as or contains that of the IPsec-VPN connection route, the diagnostic result is error.
  • If the destination CIDR block of the IPsec-VPN connection route contains that of a route in the route table, the diagnostic result is warning.
For example, the destination CIDR block of your IPsec-VPN connection route is 172.23.0.0/16 and the next hop is vco-1:
  • If the route table of the VPN gateway has only one route with the destination CIDR block of 192.168.0.0/16, the diagnostic result is normal.
  • If the route table of the VPN gateway has a route with the destination CIDR block of 172.23.0.0/16 and next hop of vco-2, the diagnosis result is error.
  • If the route table of the VPN gateway has a route with the destination CIDR block of 172.23.1.0/24 and next hop of vco-3, the diagnostic result is warning.
Configuration consistency of IPsec-VPN connections The system checks whether the configurations of IPsec-VPN connections for a specified VPN gateway are the same those of an on-premises gateway device.
  • If the configurations are consistent, the diagnostic result is normal.
  • If the configurations are inconsistent, the diagnostic result is error.
Note If the quick diagnostics feature fails to obtain the configurations of IPsec-VPN connections for the on-premises gateway device, the diagnostic result is also normal.
Internet connectivity of customer gateways The system sends packets to test Internet connectivity.
  • If the packet loss rate is 0, the diagnostic result is normal.
  • If the packet loss rate is 0% to 100% (excluding 0% and 100%), the diagnostic result is warning.
  • If the packet loss rate is 100%, the diagnostic result is error.
Private network connectivity The system sends packets to test private network connectivity.
  • If the packet loss rate is 0, the diagnostic result is normal.
  • If the packet loss rate is 0 to 100% (excluding 0 and 100%), the diagnostic result is warning.
  • If the packet loss rate is 100%, the diagnostic result is error.
Note To test private network connectivity, you must specify the source IP address and destination IP address. Otherwise, the connectivity test fails.

Procedure

  1. Log on to the VPN gateway console.
  2. In the top navigation bar, select the region where the VPN gateway is deployed.
  3. On the VPN Gateways page, choose The More icon > Quick Diagnostics in the Actions column.
  4. In the Quick Diagnostics dialog box, set the following parameters and click Next.
    Parameter Description
    IPsec Connection Select the IPsec-VPN connection that you want to diagnose.
    Private Network Connectivity Check
    Source IP Address Enter an IP address in a virtual private cloud (VPC). This IP address is used as the source IP address to test private network connectivity.
    Destination IP Address Enter an IP address of a data center. This IP address is used as the destination IP address to test private network connectivity.
  5. In the Diagnostic Result section, view the diagnostic results of the IPsec-VPN connection.