This topic describes how to troubleshoot the connection between an on-premises data center and an Elastic Compute Service (ECS) instance in a Virtual Private Cloud (VPC).

Background information

Perform the following operations:
  1. Diagnose network routing issues.
  2. Diagnose issues at Layer 3 and Layer 4.
  3. Diagnose issues at Layer 2.
  4. Diagnose issues at Layer 1.

Diagnose network routing issues

You are able to use the local device to ping the IP address of the VBR. A Border Gateway Protocol (BGP) peering session has been established between the VBR and the VPC. If your on-premises server and the ECS instance in the VPC still cannot communicate with each other after you send ping packets to the ECS instance, perform the following operations to troubleshoot the connection:

  • If you use Express Connect-Peering connections to connect your on-premises data center to the VPC, check the status of the health check for the connection between the VBR and the VPC.
  • If you use Cloud Enterprise Network (CEN) to connect your on-premises data center to the VPC, check the status of the health check for VBRs on the CEN instance.
  • If you use BGP routing, make sure that the local gateway has advertised your local CIDR block over BGP.
  • Make sure that no more than 110 BGP route entries have been advertised. Additional advertised route entries will be discarded, but BGP peering sessions can still be established.
  • Make sure that your on-premises gateway has a route in the route table that maps the on-premises gateway to the VPC. The next hop is the IP address of the VBR.
  • Make sure that your VBR route table has a route that maps the VBR to the CIDR block of the on-premises data center. The next hop is the physical connection interface.
  • Make sure that your VBR route table has a route that maps the VBR to the VPC. The next hop is the ID of the VPC instance.
  • Make sure that your VPC route table has a route that maps the VPC to the CIDR block of the on-premises data center. The next hop is the VBR.
  • Make sure that your ECS security group and network access control list (ACL) are configured to allow inbound and outbound network traffic transmitted between the VPC and your on-premises data center.

If the issue persists, submit a ticket.

Diagnose issues at Layer 3 and Layer 4

The on-premises gateway and the VBR can communicate with each other after you send ping packets to the VBR, but the on-premises BGP peering session cannot be established. To resolve this issue, perform the following operations:

  1. Make sure that valid on-premises autonomous system number (ASN) and Alibaba Cloud ASN are configured for BGP routing.
  2. Make sure that the peering IP addresses at both ends of the BGP peering session are configured correctly.
  3. Make sure that your MD5 authentication key is configured and exactly matches the key in the downloaded router configuration file.
    Note Check for extra spaces or characters.
  4. Make sure that no firewalls or ACL rules block TCP port 179 or temporary TCP port numbers greater than 1024. These ports are required for BGP peers to establish TCP connections.
  5. Check your BGP logs for errors or warnings.

If BGP peering sessions still cannot be established, submit a ticket.

Diagnose issues at Layer 2

The indicator of the on-premises gateway shows the normal state, but you cannot use the on-premises gateway device to ping the IP address of the VBR. To resolve this issue, perform the following operations:

  1. Check whether you have configured valid IP addresses. Make sure that the IP addresses reside within the same CIDR block and belong to a valid VLAN.
  2. Make sure that the IP address is configured in a VLAN subinterface such as GigabitEthernet 0/0.123 instead of a physical interface such as GigabitEthernet 0/0.
  3. Verify that the router has MAC address entries from the VBR node in the cloud in your Address Resolution Protocol (ARP) table.
  4. Make sure that VLAN trunking is enabled for your 802.1Q VLAN tag on all devices between the VBR in the cloud and the on-premises gateway.
  5. Clear ARP table cache of your local devices and your Internet service provider (ISP).

If ARP communication still cannot be established or ping packets cannot be sent to the VBR in the cloud, submit a ticket.

Diagnose issues at Layer 1

If the indicator of the on-premises gateway connected to the leased line is off, perform the following operations:

  1. Check whether the customer-premises equipment (CPE) of the on-premises data center is enabled and the port is activated.
  2. Confirm with your service provider whether a VBR-to-VPC peering connection has been established. Require the ISP to certify that the ISP has constructed the leased line for you and that the peering connection has passed the connectivity test.
  3. Check whether the optical modules at both ends of the leased line run in the normal state.
    • Check whether the optical modules support the same transmission distance. Otherwise, the port indicator is unable to turn on.
    • Check whether the optical modules support the same bandwidth. Otherwise, the port indicator is off.
    • To enable optical fiber connections, you must use the single-mode optical modules, such as 1000Base-LX for 1 GB Ethernet, 10GBase-LR for 10 GB Ethernet, 40GBase-LR for 40 GB Ethernet, and 100GBase-LR for 100 GB Ethernet. You can use the optical modules to connect to Alibaba Cloud. The optical modules on both ends must have the same parameters configured.
  4. Check whether you have disabled the auto-negotiation feature on the customer-premises equipment (CPE) and have manually configured the port rate and full duplex mode.
    Most network devices such as junepper available in markets have auto-negotiation enabled. You must manually disable this feature.
  5. Contact the service provider to complete the leased line segmentation tests.
    • Contact the leased line provider or the provider of the on-premises data center to conduct in-building cable tests between the optical distribution frames (ODF) and the local access devices. If a loop test is required, conduct fiber optic loopback tests in the building.
    • Contact the leased line provider to test the connection from the on-premises data center to the service provider. If a loop test is required, conduct fiber optic loopback tests in the building.
    • The leased line provider contacts the service provider to complete internal network link tests.
    • Contact the leased line provider and test the in-building cable between ODF and the Alibaba Cloud access devices in the on-premises data center where the Alibaba access point is deployed.
    • To test the pigtail cable, submit a ticket.

    For the actual topology, consult your service provider.