VPN Gateway integrates with Network Intelligence Service (NIS) to diagnose IPsec VPN gateways and surface actionable suggestions. The diagnostic process covers IPsec negotiation failures, route configuration issues, and gateway status problems — without affecting your running traffic.
Diagnostic items
VPN Gateway checks fall into four categories. If you use Border Gateway Protocol (BGP) dynamic routing, pay particular attention to the BGP-specific items in Configuration diagnostics and Route diagnostics.
If you use static routing (policy-based or destination-based routes) rather than BGP, you can skip the items marked as BGP-specific below.
Configuration diagnostics
| Diagnostic item | What it checks | What to do if it fails |
|---|---|---|
| Instance configuration check | Whether the VPN gateway is still being configured | Wait until the gateway status changes to Active before proceeding. |
| Version check | Whether the VPN gateway is running the latest version | Upgrade the gateway. See Upgrade a VPN gateway. |
| IKE tunnel negotiation status | Phase 1 and Phase 2 negotiation status for each IPsec-VPN connection | Follow the guidance in the console, or see Troubleshoot IPsec-VPN connection issues. |
| VPN tunnel configuration integrity | Whether required configuration items are missing from an IPsec-VPN connection | Reconfigure the connection. See Create and manage IPsec-VPN connections in single-tunnel mode or Create and manage IPsec-VPN connections in dual-tunnel mode. |
| System network segment conflict | Whether policy-based routes, destination-based routes, or BGP routes conflict with the reserved CIDR block 100.64.0.0/10 | Modify the conflicting CIDR blocks, or use NAT Gateway for address translation. See Use a VPC NAT gateway and a VPN gateway to connect a data center and a VPC. |
| BGP consistency check (BGP only) | Whether Phase 2 negotiations succeeded but BGP negotiations failed | Check BGP configurations and packet transmission. See the "What do I do if Phase 2 negotiations succeeded but BGP negotiation is in the Abnormal state?" section of FAQ about IPsec-VPN connections. |
| Shared Phase 1 IPsec negotiations | Whether multiple IPsec-VPN connections sharing Phase 1 use identical Internet Key Exchange (IKE) configurations | Align the configurations of all affected connections. All connections must share the same Pre-Shared Key, IKE Version, Negotiation Mode, Encryption Algorithm, Authentication Algorithm, DH Group, and SA Lifetime (Seconds). See Create and manage IPsec-VPN connections in single-tunnel mode. |
Multiple IPsec-VPN connections share Phase 1 when they are all associated with the same customer gateway and use the same IKE version.
Quota limit diagnostics
| Diagnostic item | What it checks | What to do if it fails |
|---|---|---|
| VPN bandwidth usage | Whether bandwidth usage has reached 80% of the upper limit | Upgrade the gateway bandwidth. See Upgrade or downgrade a VPN gateway. |
Cost diagnostics
| Diagnostic item | What it checks | What to do if it fails |
|---|---|---|
| Alerts for overdue payments | Whether the VPN gateway has outstanding payments | Add funds to your Alibaba Cloud account. If the VPN gateway has overdue payments, add funds to your account. |
| Alerts for expiration | Whether the VPN gateway expires within seven days | Renew the gateway before it expires. |
Route diagnostics
| Diagnostic item | What it checks | What to do if it fails |
|---|---|---|
| Unpublished routes | Whether unadvertised policy-based or destination-based routes exist | Delete or advertise the routes based on your network requirements. See Advertise a policy-based route and Advertise a destination-based route. |
| BGP configuration check (BGP only) | Whether a BGP-enabled IPsec-VPN connection follows recommended BGP practices | Apply the following practices: (1) Do not configure policy-based or destination-based routes alongside BGP. (2) Disable the health check feature. (3) Set Routing Mode to Destination Routing Mode when using BGP dynamic routing. |
| VPN routing configuration integrity | Whether required route configurations are missing, and whether automatic BGP route propagation is enabled for BGP connections | Add the missing routes or enable automatic BGP route propagation. See Configure policy-based routes, Manage destination-based routes, or the Procedure section of "Configure BGP dynamic routing". |
| Destination-based route conflicts | Whether the destination CIDR blocks of destination-based routes overlap | Delete the conflicting routes and create new ones with non-overlapping CIDR blocks. See Manage destination-based routes. Alternatively, switch to BGP — see Connect a VPC to a data center in dual-tunnel and BGP routing mode. |
| Policy-based route conflicts | Whether the destination CIDR blocks of policy-based routes overlap | Delete the conflicting routes and create new ones with non-overlapping CIDR blocks. See Configure policy-based routes. Alternatively, switch to BGP — see Connect a VPC to a data center in dual-tunnel and BGP routing mode. |
| BGP route conflict check (BGP only) | Whether BGP route CIDR blocks overlap with each other, with destination-based routes, or with policy-based routes | Follow the on-screen instructions in the console to resolve the conflicts. |
| VPC and VPN route match | Whether the destination CIDR block in the VPC route table entry pointing to the VPN gateway is contained within the policy-based route CIDR block | Delete the policy-based route and create a new one whose destination CIDR block contains the VPC route table entry's CIDR block. See Configure policy-based routes. |
Run a diagnosis
Log on to the VPN Gateway console.
In the top navigation bar, select the region where the VPN gateway is deployed.
On the VPN Gateways page, find the VPN gateway, then click Diagnose > Instance Diagnosis in the Diagnose column.
In the Instance Diagnostics panel, review the diagnostic results.
If this is your first time using NIS, select Terms of Service for Standard Edition NIS and click Activate NIS free of charge to diagnose instances.
If you are a Resource Access Management (RAM) user and see a permissions error, ask your Alibaba Cloud account owner to grant you the AliyunNISFullAccess permission. See Grant permissions to a RAM user.
The first time you diagnose a VPN gateway, the system automatically creates the service-linked role AliyunServiceRoleForNis. See Service-linked roles.
The Instance Diagnostics panel has three sections:
| Section | Description |
|---|---|
| ① | Lists detected anomalies with diagnosis details, affected resources, and suggested fixes. |
| ② | Select Show All Diagnostic Items in the Diagnostic Items section to view results for all checks, including passed ones. |
| ③ | Click Go to the NIS console to view diagnostic records to open the NIS Overview page and review historical diagnostic reports for this gateway. See Overview. |
Diagnostic example
The following example shows how to diagnose a VPN gateway before using an IPsec-VPN connection to carry production traffic between an on-premises data center and a VPC.
Run a diagnosis on the VPN gateway as described in Run a diagnosis.
In the Instance Diagnostics panel, review the results.
In this example, the system detects a Phase 1 Negotiation Failed error. Click Phase 1 Negotiation Failed in the Diagnostic Result column to view the details and follow the provided guidance to fix the issue.
You can also use the error message on the IPsec Connections page for troubleshooting. If Phase 1 or Phase 2 negotiation fails, an error message appears on that page. See Troubleshoot IPsec-VPN connection issues.
In this case, the error indicates that the pre-shared key differs between the VPN gateway and the peer gateway. Set the same pre-shared key on both sides to resolve the issue.
After resolving the issue, run the diagnosis again to confirm the gateway passes all checks.
If the gateway passes diagnostics but you still experience connectivity issues — such as communication failures between the data center and the VPC — see FAQ about IPsec-VPN connections for further troubleshooting.