All Products
Search

This Product

    VPN Gateway:Monitor an IPsec-VPN connection

    Document Center

    VPN Gateway:Monitor an IPsec-VPN connection

    Last Updated:Apr 15, 2026

    Monitoring is an important part of maintaining the reliability, availability, and performance of an IPsec-VPN connection. VPN Gateway allows you to monitor metrics such as the negotiation status of IPsec-VPN connection tunnels and inbound/outbound traffic rates. This gives you clear insights into the operational status and bandwidth usage of your IPsec-VPN connection, helping you quickly identify network bottlenecks, detect network faults or anomalies, and improve network reliability and availability. VPN Gateway is integrated with CloudMonitor, which lets you centrally monitor and manage your Alibaba Cloud resources from the CloudMonitor console.

    Monitor IPsec-VPN tunnel status

    VPN Gateway allows you to monitor the status of each tunnel. You can view the current status of a tunnel in the VPN Gateway console. You can also subscribe to system events or create threshold-triggered alert rules for metrics to receive timely notifications about tunnel status changes.

    • View the status of an IPsec-VPN connection tunnel

      Click to view the procedure

      Log on to the VPN Gateway console and select the IPsec-VPN connection's region. In the left-side navigation pane, choose IPsec Connections:

      • IPsec-VPN connection in dual-tunnel mode

        On the IPsec-VPN connection page, click the ID of the IPsec-VPN connection. On the details page, click the Tunnel tab and view the negotiation status of the active and standby tunnels in the Connection Status column.双隧道监控-CN

      • IPsec-VPN connection in single-tunnel mode

        On the IPsec-VPN connection page, find the IPsec-VPN connection and view its negotiation status in the Connection Status column.单隧道状态-CN

      Note

      If an IPsec-VPN connection or its tunnel has an abnormal status, you can troubleshoot the issue by using the error code shown in the console.

    • VPN Gateway system events

    VPN Gateway system events are predefined events that record and notify you about changes in tunnel negotiation status and health check status. You can view system events generated by VPN Gateway in the CloudMonitor console and subscribe to system events to stay informed of resource status changes and respond quickly.

    Click to view the system events supported by VPN Gateway

    Important

    A system event is generated only when the status of a resource changes.

    For example, after you configure a health check for an IPsec-VPN connection, its initial status is failed. The system does not generate a health check failed system event by default. A health check success or health check failed system event is generated only when the health check status changes from failed to success or from success to failed. If you have subscribed to system events, the system then sends you an alert notification.

    Resource

    Event name

    Event description

    Description

    Event type

    Event level

    IPsec-VPN connection in dual-tunnel mode

    ipsec_tunnel_nego_success

    IPsec tunnel negotiation succeeded

    A tunnel of an IPsec-VPN connection in dual-tunnel mode is successfully negotiated.

    Status Notification

    Info

    ipsec_tunnel_nego_failed

    IPsec tunnel negotiation failed

    A tunnel of an IPsec-VPN connection in dual-tunnel mode fails to negotiate.

    Status Notification

    Warning

    ipsec_vco_tunnel_all_nego_failed

    All IPsec connection tunnels failed to be negotiated

    Both tunnels of an IPsec-VPN connection in dual-tunnel mode fail to negotiate.

    Status Notification

    Warning

    IPsec-VPN connection in single-tunnel mode

    ipsec_phase1_nego_failed

    IPsec Phase 1 negotiation failed

    Phase 1 negotiation of an IPsec-VPN connection associated with a VPN Gateway instance failed.

    Status Notification

    Warning

    ipsec_phase1_nego_success

    IPsec Phase 1 negotiation succeeded

    Phase 1 negotiation of an IPsec-VPN connection associated with a VPN Gateway instance succeeded.

    Status Notification

    Info

    ipsec_phase2_nego_failed

    IPsec Phase 2 negotiation failed

    Phase 2 negotiation of an IPsec-VPN connection associated with a VPN Gateway instance failed.

    Status Notification

    Warning

    ipsec_phase2_nego_success

    IPsec Phase 2 negotiation succeeded

    Phase 2 negotiation of an IPsec-VPN connection associated with a VPN Gateway instance succeeded.

    Status Notification

    Info

    ipsec_health_check_failed

    health check failed

    The health check of an IPsec-VPN connection associated with a VPN Gateway instance failed.

    Status Notification

    Warning

    ipsec_health_check_success

    health check success

    The health check of an IPsec-VPN connection associated with a VPN Gateway instance succeeded.

    Status Notification

    Info

    vpn_connection_hc_failed

    VPN Connection health check failed

    The health check of a VPN Connection failed.

    Status Notification

    Warning

    vpn_connection_hc_success

    VPN Connection health check succeeded

    The health check of a VPN Connection succeeded.

    Status Notification

    Info

    vpn_connection_ph1_failed

    VPN Connection Phase 1 negotiation failed

    Phase 1 negotiation of a VPN Connection failed.

    Status Notification

    Warning

    vpn_connection_ph1_success

    VPN Connection Phase 1 negotiation succeeded

    Phase 1 negotiation of a VPN Connection succeeded.

    Status Notification

    Info

    vpn_connection_ph2_failed

    VPN Connection Phase 2 negotiation failed

    Phase 2 negotiation of a VPN Connection failed.

    Status Notification

    Warning

    vpn_connection_ph2_success

    VPN Connection Phase 2 negotiation succeeded

    Phase 2 negotiation of a VPN Connection succeeded.

    Status Notification

    Info

    SSL-VPN connection

    CertKeyExpired

    Certificate expired

    The SSL client certificate has expired.

    Exception

    Critical

    • Metrics for IPsec-VPN connection tunnel status

      VPN Gateway provides metrics related to tunnel status. You can create threshold-triggered alert rules for these metrics to receive notifications about tunnel status changes.

      Click to view tunnel status metrics

      Resource

      Metric name

      Metric description

      Description

      vpn (VPN Gateway)

      An IPsec-VPN connection associated with a VPN Gateway instance.

      ipsec.state

      IPsec negotiation status of an IPsec-VPN connection on a VPN Gateway

      The negotiation status of an IPsec-VPN connection in single-tunnel mode. A value of 0 indicates that the negotiation is abnormal. A value of 1 indicates that the negotiation is normal.

      tun.state

      Negotiation status of a tunnel in an IPsec-VPN connection on a VPN Gateway

      The negotiation status of a tunnel in an IPsec-VPN connection in dual-tunnel mode. A value of 0 indicates that the negotiation is abnormal. A value of 1 indicates that the negotiation is normal.

      ipsec.bgp_state

      BGP negotiation status of an IPsec-VPN connection on a VPN Gateway

      The BGP negotiation status of an IPsec-VPN connection for a VPN Gateway in single-tunnel mode, where 0 indicates that the BGP negotiation is abnormal and 1 indicates that the BGP negotiation is normal.

      tun.bgp_state

      BGP negotiation status of an IPsec tunnel on a VPN Gateway

      The BGP negotiation status of the IPsec tunnel for a VPN Gateway in dual-tunnel mode: 0 indicates that the BGP negotiation is abnormal, and 1 indicates that the BGP negotiation is normal.

      vpnconnection (VPN Connection)

      An IPsec-VPN connection associated with a Transit Router.

      vpn_connection.state

      IPsec negotiation status of a VPN Connection

      For the negotiation status of a single-tunnel mode IPsec-VPN connection, a metric value of 0 indicates that the negotiation is abnormal, and a metric value of 1 indicates that the negotiation is normal.

      vpn_connection_tun.state

      Negotiation status of a tunnel in a VPN Connection

      The negotiation status of a tunnel in a dual-tunnel IPsec-VPN connection. A metric value of 0 indicates that the tunnel negotiation is abnormal, and a metric value of 1 indicates that the tunnel negotiation is normal.

      vpn_connection.bgp_state

      BGP negotiation status of a VPN Connection

      The BGP negotiation status of the IPsec-VPN connection in single-tunnel mode: 0 indicates that the BGP negotiation is unsuccessful, and 1 indicates that the BGP negotiation is successful.

      vpn_connection_tun.bgp_state

      BGP negotiation status of an IPsec tunnel in a VPN Connection

      The BGP negotiation status of the IPsec tunnel for a VPN Connection in dual-tunnel mode, where 0 indicates that the BGP negotiation is abnormal and 1 indicates that it is normal.

    Monitor IPsec-VPN traffic rate

    VPN Gateway lets you view inbound/outbound traffic rates, packet rates, and bandwidth utilization at the VPN Gateway instance, IPsec-VPN connection, and tunnel levels. This helps you quickly identify network congestion points or abnormal traffic and optimize bandwidth utilization.

    • View the traffic rate of an IPsec-VPN connection

      The following sections describe how to view traffic rate information in the VPN Gateway console. You can also view this information in the CloudMonitor console. For more information, see Cloud service monitoring.

      View the traffic rates of an IPsec-VPN connection and its tunnels

      Log on to the VPN Gateway console and select the region where the IPsec-VPN connection is deployed. In the left-side navigation pane, choose IPsec Connections. On the IPsec-VPN connection page, click the ID of the IPsec-VPN connection. On the details page, click the Monitor tab to view traffic rate information.

      For an IPsec-VPN connection in dual-tunnel mode, you can select a Dimension to view the traffic rate of a specific tunnel.监控隧道.png

      Dimension

      Metric

      Description

      IPsec-VPN Connection

      IPsec Connection Inbound Packet Rate

      The rate at which the IPsec-VPN connection receives data packets. Unit: pps.

      IPsec Connection Outbound Packet Rate

      The rate at which the IPsec-VPN connection sends data packets. Unit: pps.

      IPsec Connection Inbound Traffic Rate

      The rate at which the IPsec-VPN connection receives traffic. Unit: bps.

      IPsec Connection Outbound Traffic Rate

      The rate at which the IPsec-VPN connection sends traffic. Unit: bps.

      Tunnel

      Tunnel Inbound Packet Rate

      The rate at which the tunnel receives data packets. Unit: pps.

      Tunnel Outbound Packet Rate

      The rate at which the tunnel sends data packets. Unit: pps.

      Tunnel Inbound Traffic Rate

      The rate at which the tunnel receives traffic. Unit: bps.

      Tunnel Outbound Traffic Rate

      The rate at which the tunnel sends traffic. Unit: bps.

      View the traffic rate of a VPN Gateway instance

      If a VPN Gateway instance has multiple IPsec-VPN connections, you can view the instance-level traffic rate to see the total traffic rate across all connections.

      Log on to the VPN Gateway console and select the VPN Gateway instance's region. On the VPN Gateways page, click the instance ID. On the details page, click the Monitor tab to view its traffic rate.

      If the VPN Gateway instance also has SSL-VPN connections, the metrics will include the traffic rates from those connections as well.

      Metric

      Description

      VPN Gateway Inbound Packet Rate

      The rate at which the VPN Gateway instance receives data packets. Unit: pps.

      VPN Gateway Outbound Packet Rate

      The rate at which the VPN Gateway instance sends data packets. Unit: pps.

      VPN Gateway Inbound Traffic Rate

      The rate at which the VPN Gateway instance receives traffic. Unit: bps.

      VPN Gateway Outbound Traffic Rate

      The rate at which the VPN Gateway instance sends traffic. Unit: bps.

      Number of SSL Client Connections

      The number of clients connected to the VPN Gateway instance through SSL-VPN connections. Unit: count.

      Gateway.rx.utilization

      The percentage of bandwidth used by inbound traffic on the VPN Gateway instance.

      Gateway.tx.utilization

      The percentage of bandwidth used by outbound traffic on the VPN Gateway instance.

    • Create a threshold-triggered alert rule for traffic rate metrics

      In the CloudMonitor console, create a threshold-triggered alert rule for IPsec-VPN traffic rate metrics. If the rate exceeds your configured threshold, the system sends an alert, so you can respond to issues promptly.

      Traffic rate metrics

      Product

      Monitored resource

      Metric and description

      VPN Gateway

      For IPsec-VPN connections associated with a VPN Gateway.

      VPN Gateway instance

      • Gateway.rx.utilization (in_bandwidth_utilization): The percentage of bandwidth that is used by inbound traffic on the VPN Gateway instance.

      • Gateway.tx.utilization (out_bandwidth_utilization): The percentage of bandwidth that is used by outbound traffic on the VPN Gateway instance.

      • VpnGateway.rxPkgs (net.rxPkgs): The rate at which the VPN Gateway instance receives data packets.

      • VpnGateway.txPkgs (net.txPkgs): The rate at which the VPN Gateway instance sends data packets.

      • SSL Client Count (ssl_client.count): The number of clients that are connected to the VPN Gateway instance through SSL-VPN connections.

      • Gateway Inbound Bandwidth (net_rx.rate): The rate at which the VPN Gateway instance receives traffic.

      • Gateway Outbound Bandwidth (net_tx.rate): The rate at which the VPN Gateway instance sends traffic.

      IPsec-VPN connection

      • IPSec.connection.rxPkgs (ipsec.rxPkgs): The rate at which the IPsec-VPN connection receives data packets.

      • IPSec.connection.txpkgs (ipsec.txPkgs): The rate at which the IPsec-VPN connection sends data packets.

      • IPSec.connection.rx.rate (ipsec_rx.rate): The rate at which the IPsec-VPN connection receives traffic.

      • IPSec.connection.tx.rate (ipsec_tx.rate): The rate at which the IPsec-VPN connection sends traffic.

      • IPSec.connection.bgp_state (ipsec.bgp_state): 0 indicates that the BGP negotiation is abnormal, and 1 indicates that the BGP negotiation is normal.

      • IPSec.connection.state (ipsec.state): 0 indicates that the connection negotiation is abnormal, and 1 indicates that it is normal.

      Tunnel

      • Tunnel.rx.pps (tun.rx_pps): The rate at which a tunnel receives data packets.

      • Tunnel.tx.pps (tun.tx_pps): The rate at which a tunnel sends data packets.

      • Tunnel.rx.bps (tun.rx_bps): The rate at which a tunnel receives traffic.

      • Tunnel.tx.bps (tun.tx_bps): The rate at which a tunnel sends traffic.

      • Tunnel.bgp_state (tun.bgp_state): 0 indicates that the BGP negotiation is unsuccessful, and 1 indicates that the BGP negotiation is successful.

      • Tunnel.state (tun.state): 0 indicates that the tunnel negotiation is abnormal, and 1 indicates that the tunnel negotiation is normal.

      VPN Connection

      For IPsec-VPN connections associated with a Transit Router.

      IPsec-VPN connection

      • vpn.connection.rxPkgs (vpn_connection.rxPkgs): The rate at which the IPsec-VPN connection receives data packets.

      • vpn.connection.txPkgs (vpn_connection.txPkgs): The rate at which the IPsec-VPN connection sends data packets.

      • vpn.connection.rx.rate (vpn_connection_rx.rate): The rate at which the IPsec-VPN connection receives traffic.

      • vpn.connection.tx.rate (vpn_connection.tx.rate): The rate at which the IPsec-VPN connection sends traffic.

      • vpn.connection.bgp_state (vpn_connection.bgp_state): 0 indicates that the BGP negotiation is abnormal, and 1 indicates that the BGP negotiation is normal.

      • vpn.connection.state (vpn_connection.state): 0 indicates an abnormal negotiation, and 1 indicates a normal negotiation.

      Tunnel

      • Single-tunnel Inbound Packet Rate of VPN Connection (vpn_connection_tun.rxPkgs): The rate at which a tunnel receives data packets.

      • Single-tunnel Outbound Packet Rate of VPN Connection (vpn_connection_tun.txPkgs): The rate at which a tunnel sends data packets.

      • Single-tunnel Inbound Bandwidth of VPN Connection (vpn_connection_tun.rx.rate): The rate at which a tunnel receives traffic.

      • Single-tunnel Outbound Bandwidth of VPN Connection (vpn_connection_tun.tx.rate): The rate at which a tunnel sends traffic.

      • vpn.connection.tun.bgp_state (vpn_connection_tun.bgp_state): 0 indicates that the BGP negotiation is abnormal, and 1 indicates that the BGP negotiation is normal.

      • vpn.connection.tun.state (vpn_connection_tun.state): 0 indicates that the tunnel negotiation is abnormal, and 1 indicates that the tunnel negotiation is normal.

    Query and analyze IPsec-VPN traffic information

    While monitoring your IPsec-VPN connection, you may need to analyze specific traffic details, such as source and destination IP addresses, ports, and protocols. You can use the flow log feature to capture inbound and outbound traffic information. You can then query and analyze these logs for a detailed view of your IPsec-VPN traffic.

    Related documents

    You can call CloudMonitor API operations to query monitoring data for IPsec-VPN resources.