VPN Gateway integrates with Network Intelligence Service (NIS), which can diagnose VPN Gateway instances and provide suggestions to resolve detected issues. You can use this feature to troubleshoot problems that you may encounter when you use SSL-VPN, such as connection negotiation and instance status issues. Diagnosing a VPN Gateway instance does not affect your services.
VPN Gateway diagnostic items
The following table describes the diagnostic items for VPN Gateway instances.
Diagnostic item classification | Diagnostic item | Description |
Configuration diagnosis | Instance configuration check | Checks whether the VPN Gateway instance is being configured. If the instance is being configured, wait until the instance status changes to Normal before you proceed. |
Version check | Checks whether the VPN Gateway instance is of the latest version. Upgrade the VPN Gateway instance to the latest version to use more features. For more information, see Upgrade a VPN Gateway. | |
VPN tunnel configuration integrity check | Checks whether an SSL server is configured for the SSL-VPN connection of the VPN Gateway instance. If the system detects that the configuration is missing, add the required configuration based on your network communication needs. To configure an SSL server, see Create and manage an SSL server. | |
SSL virtual connection check | Checks whether unreliable SSL-VPN connections exist for the VPN Gateway instance. If an SSL server uses the UDP protocol, unreliable connections may occupy the connection quota. Change the Protocol of the SSL server to TCP. The TCP protocol is more reliable and can prevent this issue. For more information, see Modify an SSL server. | |
VPC CIDR block conflict check | Checks whether the Local Network and Client CIDR Block of the SSL server conflict with the CIDR block of a vSwitch in the VPC. If a CIDR block conflict is detected, modify the CIDR block settings of the SSL server. For more information, see Modify an SSL server. | |
Insufficient CIDR block check | Checks whether the number of IP addresses in the Client CIDR Block of the SSL server can meet the requirement for the number of SSL-VPN connections. If the number of IP addresses in the client CIDR block is insufficient, modify the client CIDR block. For more information, see Modify an SSL server. Make sure that the number of IP addresses in the specified client CIDR block is at least four times the maximum number of SSL-VPN connections. For example, if the client CIDR block is 192.168.0.0/24, the system first creates a subnet with a /30 subnet mask, such as 192.168.0.4/30, from the 192.168.0.0/24 CIDR block. Then, the system allocates one IP address from 192.168.0.4/30 to the client. The other three IP addresses are reserved by the system to ensure network communication. In this case, each client consumes four IP addresses. Therefore, to ensure that an IP address can be allocated to every client, make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections. | |
Public IP address conflict check | Checks whether the public CIDR block is specified as a user CIDR block for the VPC when the Client CIDR Block of the SSL server is set to a public CIDR block. If the client CIDR block of the SSL server is a public CIDR block, you must set the public CIDR block as a user CIDR block for the VPC. For more information about user CIDR blocks, see VPC FAQ and VPC FAQ. | |
Capacity limit diagnosis | VPN Gateway bandwidth utilization check | Checks whether the bandwidth utilization of the VPN Gateway instance has reached 80% of the bandwidth limit. If the bandwidth utilization reaches 80% of the limit, you can increase the bandwidth of the VPN Gateway instance as needed. For more information, see Upgrade or renew a VPN Gateway instance with a specification change. |
VPN connection count check | Checks whether the number of SSL-VPN connections for the VPN Gateway instance has reached 80% of the connection limit. If the number of SSL-VPN connections reaches 80% of the limit, you can increase the maximum number of SSL-VPN connections for the instance as needed. For more information, see Modify the number of concurrent SSL connections. | |
Certificate diagnosis | SSL client certificate expiration check | Checks whether the SSL client certificate has expired. By default, an SSL client certificate is valid for three years. If the SSL client certificate has expired, delete the current certificate, create a new one, and install it on the client. For more information, see Create and manage an SSL client certificate and Configure a client. |
SSL client certificate pre-expiration check | Checks whether the SSL client certificate will expire within 60 days. If the SSL client certificate is about to expire, we recommend that you delete the current certificate, create a new one, and install it on the client. This prevents service interruptions after the certificate expires. For more information, see Create and manage an SSL client certificate and Configure a client. | |
Billing diagnosis | Overdue payment alert | Checks whether the VPN Gateway instance has an overdue payment. If the instance has an overdue payment, top up your account right away. |
Expiration alert | Checks whether the VPN Gateway instance will expire within seven days. |
Start a diagnosis
Log on to the VPN Gateway console.
In the top navigation bar, select the region where the VPN Gateway instance is deployed.
On the VPN Gateways page, find the VPN Gateway instance that you want to diagnose and click in the Diagnosis column.
In the Instance Diagnostics pane, view the diagnosis details.
NoteIf you have not activated NIS, select Network Intelligence Service Standard Edition Terms of Service and click Free Activation and Diagnosis.
If a Resource Access Management (RAM) user does not have the required permissions to activate NIS, use your Alibaba Cloud account to grant the AliyunNISFullAccess permission to the RAM user. For more information, see Manage RAM user permissions.
When you perform the first diagnosis, the system automatically creates a service-linked role (AliyunServiceRoleForNis). For more information about AliyunServiceRoleForNis, see Service-linked Role.
No.
Description
①
Abnormal diagnostic items are displayed in the pane. You can view the description, associated resources, and suggested solutions for each abnormal item.
②
In the Diagnostic Items section, select Show All Diagnostic Items to view all diagnostic items for the current VPN Gateway instance.
③
At the top of the Instance Diagnostics pane, click Go to the NIS console to view diagnostic records. You are redirected to the Overview page of the NIS console. On this page, you can view the historical diagnostic reports of the VPN Gateway instance. For more information, see Overview.
Example of a VPN Gateway instance diagnosis
If a client fails to connect to Alibaba Cloud resources in a VPC through an SSL-VPN connection, you can diagnose the VPN Gateway instance to check the SSL-VPN connection configuration and troubleshoot the issue.
Start a diagnosis for the VPN Gateway instance. For more information, see Start a diagnosis.
In the Instance Diagnostics pane, view the diagnosis result and troubleshoot the issue based on the suggestions.
As shown in the preceding figure, the system detects that the SSL server uses the UDP protocol to establish an SSL-VPN connection. Because UDP is an unreliable protocol, connections may occupy the connection quota and cause client connection failures. You can follow the suggestion to change the protocol of the SSL server to TCP to prevent this issue.
After you modify the configuration, diagnose the VPN Gateway instance again to verify that no issues are detected.
If the diagnosis finds no issues with your VPN Gateway instance but you still encounter problems with the SSL-VPN connection, such as traffic failures between the client and the VPC, you can troubleshoot the issues by reviewing SSL-VPN connection logs and FAQ topics. For more information, see Troubleshoot SSL-VPN connection issues and SSL-VPN connection FAQ.