Execute IPsec-VPN O&M events - VPN Gateway - Alibaba Cloud Documentation Center

To provide stable services, IPsec-VPN periodically maintains the system, such as restarts instances. These system maintenance activities are known as O&M events. O&M events are generated and executed by VPN gateways. O&M events are usually triggered by regular system upgrades, hardware upgrades, and issue fixes. After IPsec-VPN generates an O&M event, you can log on to the VPN Gateway console to view the affected resources and the default time when the O&M event is executed. You can modify the execution time of an O&M event on demand. During the execution of an O&M event, your network will be affected. You can modify the configuration to reduce the impact of the O&M event.

Background information

IPsec-VPN O&M events are interfaced with Network Intelligence Service (NIS). After IPsec-VPN generates an O&M event, you can view information about the event in the NIS console and VPN Gateway console, including the affect resources and the default time when the event is executed.

In the NIS console, you can view the O&M event of VPN Gateway within the previous 30 days and the trend of changes in alerts generated for VPN gateway resources.
In the VPN Gateway console, you can view resources affected by the O&M event and modify the execution time of the O&M event.

This topic describes how to view O&M events in the VPN Gateway console. To view O&M events in the NIS console, see View event records.

Impact of O&M events

This section describes how O&M events affect IPsec-VPN connections. Before an O&M event is executed, you can check the impact on IPsec-VPN connections in the following table.

Note

If your VPN gateway is connected to an SSL client, during the execution of the O&M event, the client will be disconnected from the network. After the execution ends, the client will reconnect to the network.

Resource	Impact of O&M events	How to reduce the impact
Dual-tunnel IPsec-VPN connections	If both tunnels of an IPsec-VPN connection are available, the tunnel that executes the O&M event will be interrupted during the execution. The traffic of the tunnel is automatically switched to the other tunnel. The temporary network interruption lasts less than 1 minute. After the O&M event ends, the traffic is automatically switched back to the original tunnel. If no traffic is transmitted through the tunnel, your network is not interrupted during the O&M event. Note Make sure that your local gateway device supports auto failover. Otherwise, when the tunnel is interrupted and traffic is switched to the other tunnel, your network will be interrupted for a long period of time. If the IPsec-VPN connection has only one tunnel available, your network will be interrupted for no more than 10 minutes when the system maintains the available tunnel. Your network is not affected when the system maintains the unavailable tunnel.	Make sure that both tunnels of the IPsec-VPN connection are available. Configure your local gateway device to transmit all traffic through the other tunnel before the system maintains a tunnel and interrupt the tunnel. After the O&M event ends, reset the configuration to switch traffic back to the original tunnel. This helps avoid network interruptions.
Single-tunnel IPsec-VPN connections	The network will be interrupted for no more than 5 minutes.	For IPsec-VPN connections created on VPN gateways, we recommend that you upgrade IPsec-VPN connections to dual-tunnel mode and use the solution for dual-tunnel IPsec-VPN connections. For IPsec-VPN connections created on transit routers, we recommend that you create multiple connections between the data center and transit router to ensure connection redundancy. Modify the local gateway device to switch traffic to the other connection before the system maintains a connection and interrupt the connection that the system maintains. After the O&M event ends, reset the configuration to switch traffic back to the original IPsec-VPN connection. This helps avoid network interruptions.

View O&M events

For IPsec-VPN connections created on VPN gateways, the system maintains the VPN gateways. For IPsec-VPN connections created on transit routers, the system maintains the IPsec-VPN connections. You can perform the following steps to view O&M events for IPsec-VPN connections and VPN gateways.

View O&M events for VPN gateways

Log on to the VPN gateway console.
In the top navigation bar, select the region in which the VPN gateway resides.
On the VPN Gateways page, find the VPN gateway that you created.
In the O&M Events column, you can view the ID and default execution time of the current O&M event and the execution time of the previous O&M event.

View O&M events for IPsec-VPN connections

Log on to the VPN gateway console.
In the left-side navigation pane, choose VPN > IPsec Connections.
In the top navigation bar, select the region where the IPsec-VPN connection is created.
On the IPsec-VPN connection page, find the IPsec-VPN connection that you created.
In the O&M Events column, you can view the ID and default execution time of the current O&M event and the execution time of the previous O&M event.

View the affected resources and modify the execution time

Important

When an instance is exposed to high risks while providing services, an O&M event is generated. We recommend that you view the affected resources and the impact of O&M events.

VPN gateways

On the VPN Gateways page, find the VPN gateway that you created.

Click O&M Events in the Actions column.

In the O&M Events dialog box, you can view the affected resources and modify the execution time.

Note

If you only want to view the affected resources, do not click OK in the following dialog box.

Step

Parameter

①

Modify the execution time of the O&M event.

Execute Now (default)
In the O&M Events dialog box, after you click OK, the system immediately executes the event.
Specify Execution Time
Modify the execution time of the O&M event, which must not be later than the default execution time. The system automatically executes the O&M event at the specified time.

②

The gateway IP address of the O&M event.

For a VPN gateway of a dual-tunnel IPsec-VPN connection, you must confirm the current gateway IP address:
- If the address is an SSL address, no IPsec-VPN connections on the VPN gateway are not affected. Only SSL clients connected to the gateway are affected.
- If the address is IPsec Address 1 or IPsec Address 2, the tunnels of the IPsec-VPN connection associated with the current gateway IP address are affected. You can locate a tunnel based on a gateway IP address and a client gateway. In the preceding figure, three tunnels are affected. SSL clients connected to the VPN gateway are not affected.
For VPN gateways that support single-tunnel IPsec-VPN connections, O&M events affect all IPsec-VPN connections on the gateways and SSL clients connected to the gateways.

IPsec-VPN connections

On the IPsec-VPN connection page, find the IPsec-VPN connection that you created.

Click O&M Events in the Actions column.

In the O&M Events dialog box, you can view the affected resources and modify the execution time.

Note

If you only want to view the affected resources, do not click OK in the following dialog box.

Step

Parameter

①

Modify the execution time of the O&M event.

Execute Now (default)
In the O&M Events dialog box, after you click OK, the system immediately executes the event.
Specify Execution Time
Modify the execution time of the O&M event, which must not be later than the default execution time.

②

The gateway IP address of the O&M event.

The IPsec-VPN connections or tunnels associated with the current gateway IP address are affected. For dual-tunnel IPsec-VPN connections, you can locate affected tunnels based on a gateway IP address and a client gateway.