VPN Gateway is integrated with Network Intelligence Service (NIS). You can use NIS to diagnose VPN gateways and troubleshoot issues based on the solutions provided by NIS. This way, you can troubleshoot the issues that you encounter when you use VPN Gateway. The issues include IPsec negotiation issues, route configuration issues, and issues that are related to VPN gateway status. The diagnostic process does not affect your business.
Diagnostic items
The following table describes the diagnostic items of a VPN gateway.
Category | Diagnostic item | Description |
Configurations | Instance configurations | Checks whether a VPN gateway is being configured. If the VPN gateway is being configured, wait until the VPN gateway enters the Active state before you perform an operation on the VPN gateway. |
Version | Checks whether the VPN gateway is of the latest version. We recommend that you upgrade your VPN gateway to the latest version. For more information, see Upgrade a VPN gateway. | |
IPsec negotiations | Checks the status of Phase 1 and Phase 2 negotiations for each IPsec-VPN connection on the VPN gateway. If an exception occurs during the negotiations, see the solution displayed in the console or relevant topics for troubleshooting. For more information, see Troubleshoot IPsec-VPN connection issues. | |
VPN tunnel configurations | Checks whether the IPsec-VPN connections or SSL server that is used to create SSL-VPN connections are configured on the VPN gateway. If required parameters are not configured, configure the parameters based on your network communication requirements.
| |
CIDR block conflicts | Checks whether the destination CIDR blocks of the policy-based routes, destination-based routes, and Border Gateway Protocol (BGP) routes on the VPN gateway conflict with 100.64.0.0/10. 100.64.0.0/10 is reserved by Alibaba Cloud. Make sure that the destination CIDR blocks of the policy-based routes, destination-based routes, and BGP routes on the VPN gateway do not conflict with 100.64.0.0/10 or its subnets. Otherwise, the VPN gateway cannot work as expected. If such conflicts exist, modify the conflicted CIDR blocks or use NAT Gateway for address translation. For more information, see Use a VPC NAT gateway and a VPN gateway to connect a data center and a VPC. | |
Unreliable SSL connections | Checks whether unreliable SSL-VPN connections exist on the VPN gateway. If unreliable SSL-VPN connections that use the UDP protocol exist on an SSL server, we recommend that you set the Protocol parameter of the SSL server to TCP to resolve this issue. The TCP protocol is more reliable than the UDP protocol. For more information, see Modify an SSL server. | |
CIDR block conflicts within a virtual private cloud (VPC) | Checks whether the Local Network and Client CIDR Block configured for an SSL server conflict with the CIDR block of a vSwitch in the VPC. If such conflicts exist, we recommend that you modify the CIDR block of the SSL server. For more information, see Modify an SSL server. | |
Insufficient IP addresses | Checks whether the Client CIDR Block configured for an SSL server contains sufficient IP addresses to meet the requirements of SSL-VPN connections. If the IP addresses are insufficient, modify the client CIDR block. For more information, see Modify an SSL server. Make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the VPN gateway. For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask of 30 from 192.168.0.0/24, such as 192.168.0.4/30. This subnet provides up to four IP addresses. Then, the system allocates an IP address from 192.168.0.4/30 to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, to ensure that an IP address can be allocated to your client, you must make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the associated VPN gateway. | |
Public CIDR block conflicts | Checks whether the public CIDR block that is configured as the Client CIDR Block of an SSL server is specified as the user CIDR block of the VPC. If the client CIDR block of the SSL server is a public CIDR block, you must specify the public CIDR block as the user CIDR block of the VPC. For more information, see the What is a user CIDR block? and How do I configure a user CIDR block? sections of the "FAQ" topic. | |
BGP consistency | Checks whether Phase 2 negotiations succeed but BGP negotiations failed. If Phase 2 negotiations succeed but BGP negotiations fail, check the BGP configurations and transmission of BGP packets. For more information, see the "What do I do if the system prompts that Phase 2 negotiations succeeded but the BGP negotiation is in the Abnormal state?" section of the FAQ about IPsec-VPN connections topic. | |
Shared Phase 1 IPsec negotiations | Checks whether the configurations of multiple IPsec-VPN connections are the same if the IPsec-VPN connections share Phase 1 negotiations. If multiple IPsec-VPN connections are associated with the same VPN gateway and customer gateway, and use the same Internet Key Exchange (IKE) version, the IPsec-VPN connections share the same Phase 1 negotiation. In scenarios in which multiple IPsec-VPN connections share the same Phase 1 negotiation, the IPsec-VPN connections must have the same Pre-Shared Key and IKE settings, including the version, negotiation mode, encryption algorithm, authentication algorithm, DH group, and SA lifetime (in seconds). This ensures that the IKE settings of each IPsec-VPN connection can be shared during IPsec negotiations. Modify the IPsec-VPN connection configurations based on your business requirements to ensure that the IPsec-VPN connections use the same configurations. For more information, see the "Modify an IPsec-VPN connection" section of the Create and manage IPsec-VPN connections in single-tunnel mode topic. | |
Quotas | VPN gateway bandwidth usage | Checks whether the bandwidth usage of the VPN gateway reaches 80% of the upper limit. |
VPN connections | Checks whether the number of SSL-VPN connections on the VPN gateway reaches 80% of the upper limit. If the number of SSL-VPN connections on the VPN gateway reaches 80% of the upper limit, you can request a quota increase based on your network requirements. For more information, see Modify the maximum number of concurrent SSL connections. | |
Certificates | SSL client certificate expiration | Checks whether the SSL client certificate has expired. The default validity period of an SSL client certificate is three years. If the SSL client certificate has expired, delete the SSL client certificate, create a new SSL client certificate, and then install the new certificate on the client. For more information, see Create an SSL client certificate and the "Step 4: Configure the client" section of the Connect a client to a VPC topic. |
SSL client certificate pre-expiration | Checks whether the SSL client certificate expires within 60 days. If the SSL client certificate expires within 60 days, we recommend that you delete it and create a new SSL client certificate. Then, install the new certificate on the client. For more information, see Create an SSL client certificate and the "Step 4: Configure the client" section of the Connect a client to a VPC topic. | |
Fees | Overdue payments | Checks whether the VPN gateway has overdue payments. If the VPN gateway has overdue payments, add funds to your account. |
Overdue payment alert | Checks whether the VPN gateway expires within seven days. | |
Routes | Unadvertised routes | Checks whether the VPN gateway has unadvertised policy-based or destination-based routes. If unadvertised policy-based or destination-based routes exist, delete or advertise the routes based on your network communication requirements. For more information, see the Advertise a policy-based route and Delete a policy-based route sections in the "Manage policy-based routes" topic or the Advertise a destination-based route and Delete a destination-based route sections in the "Manage destination-based routes" topic. |
Improper BGP configurations | Checks whether the VPN gateway uses proper BGP configurations if an IPsec-VPN connection uses BGP.
| |
VPN route configurations |
| |
Destination-based route conflicts | Checks whether the destination CIDR blocks of destination-based routes on the VPN gateway overlap with each other. If such conflicts exist, delete the conflicted destination-based routes and create new ones. Make sure that the destination CIDR blocks of destination-based routes do not overlap with each other. For more information, see Manage destination-based routes. You can also use BGP for networking. For more information, see Connect a VPC to a data center by using an IPsec-VPN connection in single-tunnel mode and enable BGP routing. | |
Policy-based route conflicts | Checks whether the destination CIDR blocks of policy-based routes on the VPN gateway overlap with each other. If such conflicts exist, delete the conflicted policy-based routes and create new ones. Make sure that the destination CIDR blocks of policy-based routes do not overlap with each other. For more information, see Manage policy-based routes. You can also use BGP for networking. For more information, see Connect a VPC to a data center by using an IPsec-VPN connection in single-tunnel mode and enable BGP routing. | |
BGP route conflicts |
If such conflicts exist, troubleshoot the issues by following the on-screen instructions displayed in the console. | |
Match between VPC routes and VPN routes | Checks whether the destination CIDR block of the route in a VPC route table that points to the VPN gateway overlaps with the destination CIDR block of the policy-based route on the VPN gateway. Make sure that the destination CIDR block of the policy-based route contains the destination CIDR block of the route in the VPC route table that points to the VPN gateway. If the preceding condition is not met, you need to modify the destination CIDR block of the policy-based route. You must delete the policy-based route and create a new one that meets the condition. For more information, see Manage policy-based routes. |
Start a diagnostics
Log on to the VPN Gateway console.
In the top navigation bar, select the region in which the VPN gateway is deployed.
On the VPN Gateways page, find the VPN gateway that you want to manage. Click Diagnose in the Instance Diagnostics column and choose Instance Diagnosis.
In the Instance Diagnostics panel, view the diagnostic details.
NoteIf NIS is not activated, select Terms of Service for Standard Edition NIS and click Activate NIS free of charge to diagnose instances.
If activate NIS as a RAM user and a message appears indicating that you do not have the permission, grant the AliyunNISFullAccess permission to the RAM user by using your Alibaba Cloud account. For more information, see Grant permissions to a RAM user.
If this is the first time that you perform a diagnostics, the system automatically creates the service-linked role AliyunServiceRoleForNis. For more information, see Service-linked roles.
No.
Description
①
Anomalies are displayed in the Instance Diagnostics panel. You can view the diagnosis description, relevant resources, and suggestions.
②
You can view all diagnostic details about the VPN gateway by selecting Show All Diagnostic Items in the Diagnostic Items section.
③
You can go to the Overview page of the NIS console by clicking Go to the NIS console to view diagnostic records in the upper part of the Instance Diagnostics panel to view historical diagnostic reports about the VPN gateway. For more information, see Use features on the Overview page.
Diagnostics examples
Diagnostics example on IPsec-VPN connections
In scenarios in which a data center accesses VPC resources by using an IPsec-VPN connection, you can diagnose your VPN gateway to ensure that the IPsec-VPN connection works as expected before you use the connection to transmit service data.
Start a diagnostics. For more information, see the Start a diagnostics section of this topic.
In the Instance Diagnostics panel, view the diagnostic details.
The preceding figure shows an example of a VPN gateway that fails the diagnostics because the Phase 1 negotiation of an IPsec-VPN connection fails. You can click Phase 1 Negotiation Failed in the Result column to view more details and troubleshoot issues.
You can also troubleshoot issues based on the error message on the IPsec Connections page. If the Phase 1 or Phase 2 negotiation of an IPsec-VPN connection fails, an error message is displayed on the IPsec Connections page. You can use the error message for troubleshooting. For more information, see Troubleshoot IPsec-VPN connection issues.
The preceding figure shows an example of the error message displayed on the IPsec Connections page due to failed Phase 1 negotiation of an IPsec-VPN connection. The IPsec-VPN connection fails because the pre-shared key is different on the VPN gateway and the peer gateway. To resolve this issue, make sure that both gateways use the same pre-shared key.
After you resolve the issue, diagnose the VPN gateway again. Make sure that the VPN gateway passes the diagnostics.
If the VPN gateway passes the diagnostics, but issues occur when you use the IPsec-VPN connection, such as communication failures between the data center and the VPC, see the FAQ topics of VPN Gateway for troubleshooting. For more information, see FAQ about IPsec-VPN connections.
Diagnostic example on SSL-VPN connections
In scenarios in which you access VPC resources by using SSL-VPN connections, if issues such as client connection failures occur, you can diagnose the VPN gateway for troubleshooting.
Start a diagnostics. For more information, see the Start a diagnostics section of this topic.
In the Instance Diagnostics panel, view the diagnostic details.
The preceding figure shows an example of a VPN gateway that fails the diagnostics due to failed client connections. The client connections fail because the SSL server uses UDP to establish SSL-VPN connections. We recommend that you change the protocol of the SSL server to TCP to prevent this issue.
After you resolve the issue, diagnose the VPN gateway again. Make sure that the VPN gateway passes the diagnostics.
If the VPN gateway VPN gateway passes the diagnostics, but issues occur when you use the SSL-VPN connection, such as communication failures between the data center and the VPC, see the FAQ topics of VPN Gateway for troubleshooting. For more information, see Troubleshoot SSL-VPN connection issues and FAQ about SSL-VPN connections.