Diagnose a VPN gateway - VPN Gateway - Alibaba Cloud Documentation Center

VPN Gateway works with Network Intelligence Service (NIS). You can use NIS to diagnose VPN gateways and troubleshoot based on the solutions provided by NIS. You can diagnose VPN gateways to troubleshoot IPsec negotiation issues, route configuration issues, and VPN gateway status issues. The diagnostic process does not affect your business.

Descriptions of diagnostic items

The following table describes the diagnostic items of VPN Gateway.

Diagnostic item	Category	Description
Configurations	Instance configurations	Check whether a VPN gateway is being configured. If a VPN gateway is being configured, wait until its status changes to Available before you perform an operation on the VPN gateway.
	Version	Check whether a VPN gateway uses the latest version. We recommend that you upgrade your VPN gateway to the latest version. For more information, see Upgrade a VPN gateway.
	IPsec negotiations	Check the status of Phase 1 and Phase 2 IPsec negotiations for each IPsec-VPN connection on a VPN gateway. If IPsec negotiation exceptions occur, refer to the solution prompted by the console or relevant topics for troubleshooting. For more information, see Troubleshoot IPsec-VPN connection issues.
	VPN tunnel configurations	Check whether the IPsec-VPN connection or SSL server is configured on a VPN gateway. If required configurations are missing, add configurations based on your requirements: For more information about how to configure an IPsec-VPN connection, see Create and manage IPsec-VPN connections in single-tunnel mode. For more information about how to configure an SSL server, see Create an SSL server.
	CIDR block conflicts	Check whether the destination CIDR blocks of the policy-based routes, destination-based routes, and BGP routes on a VPN gateway conflict with 100.64.0.0/10. 100.64.0.0/10 is reserved by Alibaba Cloud. Make sure that the destination CIDR blocks of the policy-based routes, destination-based routes, and BGP routes on a VPN gateway do not conflict with 100.64.0.0/10 or its subnets. Otherwise, the VPN gateway cannot work as expected. If such conflicts exist, modify the conflicted CIDR blocks or use NAT Gateway for address translation. For more information, see Use a VPC NAT gateway and a VPN gateway to connect a data center and a VPC.
	Unreliable SSL connections	Check whether unreliable SSL-VPN connections exist on a VPN gateway. Check the UDP connections on an SSL server. We recommend that you set Protocol of an SSL server to TCP. TCP is more reliable than UDP. For more information, see Modify an SSL server.
	CIDR block conflicts within a virtual private cloud (VPC)	Check whether Local Network and Client Subnet configured for an SSL server conflict with the CIDR block of a vSwitch in the VPC. If such conflicts exist, we recommend that you modify the CIDR block of the SSL server. For more information, see Modify an SSL server.
	Insufficient IP addresses	Check whether Client Subnet configured for the SSL server contains sufficient IP addresses to meet the requirements of SSL-VPN connections. If the IP addresses are insufficient, modify the client CIDR block. For more information, see Modify an SSL server. Make sure that the number of IP addresses that the client CIDR block contains is at least four times the number of SSL-VPN connections. For example, if you specify 192.168.0.0/24 as the client CIDR block, the system allocates IP addresses from a subnet of 192.168.0.0/24 whose mask length is 30 to clients, such as 192.168.0.4/30. The system assigns one IP address from the subnet to the client and reserves three IP addresses for communication. Therefore, each client occupies four IP addresses. To ensure that each client can be assigned an IP address, the number of IP addresses provided by the client CIDR block must be at least four times the number of SSL-VPN connections.
	Public CIDR block conflicts	Check whether the public CIDR block set as Client Subnet of an SSL server is specified as the user CIDR block of the VPC. If the client CIDR block of an SSL server is a public CIDR block, you must specify the public CIDR block as the user CIDR block of the VPC. For more information about user CIDR blocks, see What is a user CIDR block? and How do I configure a user CIDR block?.
	BGP consistency	Check whether Phase 2 negotiations succeeded but BGP negotiations failed. If Phase 2 negotiations succeeded but BGP negotiations failed, check the BGP configurations and transmission of BGP packets. For more information, see What can I do if the system prompts that Phase 2 negotiations succeeded but the BGP negotiation is in the Abnormal state?.
	Shared Phase 1 IPsec negotiations	Check whether the configurations of multiple IPsec-VPN connections are the same when the IPsec-VPN connections share Phase 1 negotiations. If multiple IPsec-VPN connections are associated with a VPN gateway and with the same customer gateway, and the IKE versions of the IPsec-VPN connections are the same, the IPsec-VPN connections share the Phase 1 SA. In scenarios where Phase 1 negotiations are shared, make sure that the IPsec-VPN connections use the same Pre-Shared Key and the following parameters in IKE Configurations are set to the same values: Version, Negotiation Mode, Encryption Algorithm, Authentication Algorithm, DH Group, and SA Life Cycle (seconds). This way, the IKE Configurations of any IPsec-VPN connection can be shared during IPsec negotiations. Modify the IPsec-VPN connection configurations. Make sure that the IPsec-VPN connections use the same configurations. For more information, see Modify an IPsec-VPN connection.
Quota	VPN gateway bandwidth usage	Check whether the bandwidth usage of a VPN gateway reaches 80% of the upper limit.
Quota	VPN connections	Check whether the number of SSL-VPN connections on a VPN gateway reaches 80% of the upper limit. If the number of SSL-VPN connections on a VPN gateway reaches 80% of the upper limit, you can request a quota increase as needed. For more information, see Modify the maximum number of concurrent SSL connections.
Certificates	SSL client certificate expiration	Check whether the SSL client certificate has expired. The default validity period of an SSL client certificate is three years. If the SSL client certificate has expired, delete it. Then, create a new SSL client certificate and install the certificate on the client. For more information, see Manage SSL client certificates and Configure a client.
Certificates	SSL client certificate pre-expiration	Check whether the SSL client certificate expires within 60 days. If the SSL client certificate is about to expire, we recommend that you delete it. Then, create a new SSL client certificate and install the certificate on the client. For more information, see Manage SSL client certificates and Configure a client.
Fees	Overdue payments	Check whether a VPN gateway has overdue payments. If your VPN gateway has overdue payments, top up your account.
Fees	Overdue payment alert	Check whether a VPN gateway expires within 7 days.
Routes	Unadvertised routes	Check whether a VPN gateway has unadvertised policy-based or destination-based routes. If such routes exist, delete or advertise the routes. For more information, see Advertise a policy-based route, Delete a policy-based route, Advertise a destination-based route, and Delete a destination-based route.
	Improper BGP configurations	Check whether a VPN gateway uses proper BGP configurations when an IPsec-VPN connection uses BGP. When an IPsec-VPN connection uses BGP, we do not recommend that you configure policy-based or destination-based routes. We recommend that you use BGP for networking. When an IPsec-VPN connection uses BGP, we recommend that you disable the health check feature. When an IPsec-VPN connection uses BGP, we recommend that you set Routing Mode to Destination Routing Mode.
	VPN route configurations	Check whether required route configurations are missing for a VPN gateway when you use an IPsec-VPN connection. To add destination-based routes, policy-based routes, or BGP configurations for a VPN gateway, see Manage policy-based routes, Manage destination-based routes, and Create and manage IPsec-VPN connections in single-tunnel mode. Check whether automatic route advertising is enabled for a VPN gateway when an IPsec-VPN connection uses BGP. For more information, see Enable automatic route advertising.
	Destination-based route conflicts	Check whether the destination CIDR blocks of destination-based routes on a VPN gateway overlap with each other. If such conflicts exist, delete the conflicted destination-based routes and create new ones. Make sure that the destination CIDR blocks of destination-based routes do not overlap with each other. For more information, see Manage destination-based routes. You can also use BGP for networking. For more information, see Connect a data center to a VPC and enable BGP dynamic routing.
	Policy-based route conflicts	Check whether the destination CIDR blocks of policy-based routes on a VPN gateway overlap with each other. If such conflicts exist, delete the conflicted policy-based routes and create new ones. Make sure that the destination CIDR blocks of policy-based routes do not overlap with each other. For more information, see Manage policy-based routes. You can also use BGP for networking. For more information, see Connect a data center to a VPC and enable BGP dynamic routing.
	BGP route conflicts	Check whether the destination CIDR blocks of BGP routes overlap with each other. Check whether the destination CIDR blocks of BGP routes and destination-based routes overlap. Check whether the destination CIDR blocks of BGP routes and policy-based routes overlap. If such conflicts exist, troubleshoot as prompted by the console.
	Match between VPC routes and VPN routes	Check whether the destination CIDR block of the route in a VPC route table that points to a VPN gateway overlaps with the destination CIDR block of the policy-based route on the VPN gateway. Make sure that the destination CIDR block of the policy-based route contains the destination CIDR block of the route in the VPC route table that points to the VPN gateway. If this condition is not met, you need to modify the destination CIDR block of the policy-based route. Delete the policy-based route and create a new one that meets the condition. For more information, see Manage policy-based routes.

Start a diagnostic

Log on to the VPN Gateway console.
In the top navigation bar, select the region of the VPN gateway.
On the VPN Gateways page, find the VPN gateway and click Diagnose in the Instance Diagnostics column.

In the Instance Diagnostics panel, view the diagnostic details.

Note

If NIS is not activated, select Terms of Service for Standard Edition NIS and click Activate NIS free of charge to diagnose instances.
If this is the first time that you perform a diagnostic, the system automatically creates the service-linked role AliyunServiceRoleForNis. For more information, see Service-linked roles.

No.	Description
①	Anomalies are displayed in the Instance Diagnostics panel. You can view the diagnosis description, relevant resources, and suggestions.
②	In the Diagnostic Items section, select Show All Diagnostic Items to view all diagnostic details about the VPN gateway.
③	In the upper part of the Instance Diagnostics panel, click Go to the NIS console to view diagnostic records to go to the Overview page of the NIS console. You can view historical diagnostic reports about the VPN gateway. For more information, see Use features on the Overview page.

Diagnostic examples

IPsec-VPN diagnostic example

In scenarios in which a data center accesses VPC resources through an IPsec-VPN connection, you can diagnose your VPN gateway to ensure that the IPsec-VPN connection works as expected before you use the connection to transmit service data.

Diagnose a VPN gateway. For more information, see Start a diagnostic.
View the diagnostic result in the Instance Diagnostics panel and troubleshoot based on the result.
As shown in the preceding figure, the system prompts that Phase 1 Negotiation Failed. You can click Phase 1 Negotiation Failed in the Result column to view more details and troubleshoot.
You can troubleshoot based on the error code of an IPsec-VPN connection on the IPsec Connections page. If Phase 1 and Phase 2 negotiations fail, the system prompts the corresponding error codes on the IPsec Connections page to help you troubleshoot. For more information, see Troubleshoot IPsec-VPN connection issues.
As shown in the preceding figure, Phase 1 negotiations failed because the pre-shared key is different on the VPN gateway and the peer gateway. Make sure that both gateways use the same pre-shared key.
After you solve the issue, diagnose the VPN gateway again. Make sure that the VPN gateway does not have an issue.
If the VPN gateway does not have an issue, but issues occur when you use the IPsec-VPN connection, for example, the data center cannot communicate with the VPC, you can refer to FAQ about VPN Gateway for troubleshooting. For more information, see FAQ about IPsec-VPN connections.

SSL-VPN diagnostic example

In scenarios in which clients access VPC resources through SSL-VPN connections, if issues such as client connection failures occur, you can diagnose the VPN gateway for troubleshooting.

Diagnose a VPN gateway. For more information, see Start a diagnostic.
View the diagnostic result in the Instance Diagnostics panel and troubleshoot based on the result.
As shown in the preceding figure, client connections may fail because the SSL server uses UDP to establish SSL-VPN connections. We recommend that you change the protocol to TCP to prevent this issue.
After you change the protocol, diagnose the VPN gateway again. Make sure that the VPN gateway does not have an issue.
If the VPN gateway does not have an issue, but issues occur when you use the SSL-VPN connection, for example, clients cannot communicate with the VPC, you can refer to FAQ about VPN Gateway and FAQ about SSL-VPN connections for troubleshooting. For more information, see Troubleshoot SSL-VPN connection issues and FAQ about SSL-VPN connections.