All Products
Search

This Product

    VPN Gateway:Monitor IPsec-VPN connections

    Document Center

    VPN Gateway:Monitor IPsec-VPN connections

    Last Updated:Oct 31, 2025

    Monitoring is essential for maintaining the reliability, availability, and performance of IPsec-VPN connections. VPN Gateway lets you monitor the tunnel negotiation status and the inbound and outbound traffic rates of IPsec-VPN connections. This provides a clear view of the operational status and bandwidth usage of your IPsec-VPN connections, which helps you quickly identify network bandwidth bottlenecks, detect network failures or anomalies, and improve network reliability and availability. The monitoring features of VPN Gateway are integrated with Cloud Monitor. This lets you centrally monitor and manage your Alibaba Cloud resources in the Cloud Monitor console.

    Monitor the status of IPsec tunnels

    VPN Gateway monitors status changes at the tunnel level. You can view the current status of tunnels in the VPN Gateway console. To promptly detect tunnel status changes, you can subscribe to system events or set threshold-based alert rules for metrics.

    • View the status of an IPsec tunnel

      Click to view the procedure

      Log on to the VPN Gateway console and select the region where the IPsec-VPN connection is deployed. In the navigation pane on the left, choose VPN > IPsec-VPN Connections:

      • Dual-tunnel IPsec-VPN connection

        On the IPsec-VPN connection page, click the ID of the IPsec-VPN connection to open the details page. On the Tunnel tab, you can view the negotiation status of the active and standby tunnels in the Connection Status column.双隧道监控-CN

      • Single-tunnel IPsec-VPN connection

        On the IPsec-VPN connection page, find the target IPsec-VPN connection and view its negotiation status in the Connection Status column.单隧道状态-CN

      Note

      If the status of the IPsec-VPN connection or tunnel is abnormal, you can troubleshoot the issue based on the error code displayed in the console. For more information, see Troubleshoot issues.

    • VPN Gateway system events

    VPN Gateway system events are defined by VPN Gateway to record and send notifications about tunnel negotiation status and health check status. You can view system events generated by VPN Gateway in the Cloud Monitor console. For more information, see View system events. To be promptly notified of resource status changes and take action, you can subscribe to system events.

    Click to view the system events supported by VPN Gateway

    Important

    A system event is generated only when the status of a resource changes.

    For example, if you configure a health check for an IPsec-VPN connection and the initial health check fails, the system does not generate a health check failed system event by default. The system generates a health check success or health check failed system event only when the health check status changes from failed to success or from success to failed. After you subscribe to system events, you will receive alert notifications for these events.

    Resource

    Event name

    Event description

    Description

    Event type

    Event level

    Dual-tunnel IPsec-VPN connection

    ipsec_tunnel_nego_success

    IPsec tunnel negotiation succeeded

    In a dual-tunnel IPsec-VPN connection scenario, an IPsec tunnel negotiation succeeded.

    Status Notification

    Info

    ipsec_tunnel_nego_failed

    IPsec tunnel negotiation failed

    In a dual-tunnel IPsec-VPN connection scenario, an IPsec tunnel negotiation failed.

    Status Notification

    Warning

    ipsec_vco_tunnel_all_nego_failed

    All IPsec tunnel negotiations failed

    In a dual-tunnel IPsec-VPN connection scenario, the negotiations for both IPsec tunnels failed.

    Status Notification

    Warning

    Single-tunnel IPsec-VPN connection

    ipsec_phase1_nego_failed

    IPsec Phase 1 negotiation failed

    In a scenario where an IPsec-VPN connection is attached to a VPN Gateway instance, the Phase 1 negotiation of the IPsec-VPN connection failed.

    Status Notification

    Warning

    ipsec_phase1_nego_success

    IPsec Phase 1 negotiation succeeded

    In a scenario where an IPsec-VPN connection is attached to a VPN Gateway instance, the Phase 1 negotiation of the IPsec-VPN connection succeeded.

    Status Notification

    Info

    ipsec_phase2_nego_failed

    IPsec Phase 2 negotiation failed

    In a scenario where an IPsec-VPN connection is attached to a VPN Gateway instance, the Phase 2 negotiation of the IPsec-VPN connection failed.

    Status Notification

    Warning

    ipsec_phase2_nego_success

    IPsec Phase 2 negotiation succeeded

    In a scenario where an IPsec-VPN connection is attached to a VPN Gateway instance, the Phase 2 negotiation of the IPsec-VPN connection succeeded.

    Status Notification

    Info

    ipsec_health_check_failed

    health check failed

    In a scenario where an IPsec-VPN connection is attached to a VPN Gateway instance, the health check of the IPsec-VPN connection failed.

    Status Notification

    Warning

    ipsec_health_check_success

    health check success

    In a scenario where an IPsec-VPN connection is attached to a VPN Gateway instance, the health check of the IPsec-VPN connection succeeded.

    Status Notification

    Info

    vpn_connection_hc_failed

    VPN connection health check failed

    In a scenario where an IPsec-VPN connection is attached to a TransitRouter, the health check of the IPsec-VPN connection failed.

    Status Notification

    Warning

    vpn_connection_hc_success

    VPN connection health check succeeded

    In a scenario where an IPsec-VPN connection is attached to a TransitRouter, the health check of the IPsec-VPN connection succeeded.

    Status Notification

    Info

    vpn_connection_ph1_failed

    VPN connection Phase 1 negotiation failed

    In a scenario where an IPsec-VPN connection is attached to a TransitRouter, the Phase 1 negotiation of the IPsec-VPN connection failed.

    Status Notification

    Warning

    vpn_connection_ph1_success

    VPN connection Phase 1 negotiation succeeded

    In a scenario where an IPsec-VPN connection is attached to a TransitRouter, the Phase 1 negotiation of the IPsec-VPN connection succeeded.

    Status Notification

    Info

    vpn_connection_ph2_failed

    VPN connection Phase 2 negotiation failed

    In a scenario where an IPsec-VPN connection is attached to a TransitRouter, the Phase 2 negotiation of the IPsec-VPN connection failed.

    Status Notification

    Warning

    vpn_connection_ph2_success

    VPN connection Phase 2 negotiation succeeded

    In a scenario where an IPsec-VPN connection is attached to a TransitRouter, the Phase 2 negotiation of the IPsec-VPN connection succeeded.

    Status Notification

    Info

    SSL-VPN connection

    CertKeyExpired

    Certificate expired

    The SSL client certificate has expired.

    Abnormal

    Critical

    • Status metrics for IPsec tunnels

      VPN Gateway provides metrics related to tunnel status. You can set threshold-based alert rules for these metrics to be promptly notified of tunnel status changes.

      Click to view the status metrics for tunnels

      Resource

      Metric name

      Metric description

      Description

      vpn (VPN Gateway)

      Indicates an IPsec-VPN connection that is attached to a VPN Gateway.

      ipsec.state

      Negotiation status of the IPsec-VPN connection on the VPN Gateway

      The negotiation status of a single-tunnel IPsec-VPN connection. A value of 0 indicates that the negotiation is abnormal. A value of 1 indicates that the negotiation is normal.

      tun.state

      Negotiation status of a tunnel of the IPsec-VPN connection on the VPN Gateway

      The negotiation status of a tunnel in a dual-tunnel IPsec-VPN connection. A value of 0 indicates that the negotiation is abnormal. A value of 1 indicates that the negotiation is normal.

      ipsec.bgp_state

      BGP negotiation status of the IPsec-VPN connection on the VPN Gateway

      The Border Gateway Protocol (BGP) negotiation status of a single-tunnel IPsec-VPN connection on a VPN Gateway. A value of 0 indicates that the BGP negotiation is abnormal. A value of 1 indicates that the BGP negotiation is normal.

      tun.bgp_state

      BGP negotiation status of the IPsec tunnel on the VPN Gateway

      The BGP negotiation status of a dual-tunnel IPsec tunnel on a VPN Gateway. A value of 0 indicates that the BGP negotiation is abnormal. A value of 1 indicates that the BGP negotiation is normal.

      vpnconnection (VPN connection)

      Indicates an IPsec-VPN connection that is attached to a TransitRouter.

      vpn_connection.state

      Negotiation status of the IPsec-VPN connection for the VpnAttachment

      The negotiation status of a single-tunnel IPsec-VPN connection. A value of 0 indicates that the negotiation is abnormal. A value of 1 indicates that the negotiation is normal.

      vpn_connection_tun.state

      Negotiation status of a tunnel for the VpnAttachment

      The negotiation status of a tunnel in a dual-tunnel IPsec-VPN connection. A value of 0 indicates that the negotiation is abnormal. A value of 1 indicates that the negotiation is normal.

      vpn_connection.bgp_state

      BGP negotiation status of the IPsec-VPN connection

      The BGP negotiation status of a single-tunnel IPsec-VPN connection. A value of 0 indicates that the BGP negotiation is abnormal. A value of 1 indicates that the BGP negotiation is normal.

      vpn_connection_tun.bgp_state

      BGP negotiation status of the IPsec tunnel

      The BGP negotiation status of a dual-tunnel IPsec tunnel. A value of 0 indicates that the BGP negotiation is abnormal. A value of 1 indicates that the BGP negotiation is normal.

    Monitor the traffic rate of an IPsec-VPN connection

    VPN Gateway lets you view inbound and outbound traffic rates, packet rates, and bandwidth usage at the VPN Gateway instance, IPsec-VPN connection, and tunnel levels. This helps you quickly identify network congestion or unusual traffic and optimize bandwidth utilization.

    • View the traffic rate of an IPsec-VPN connection

      This section describes how to view traffic rate information in the VPN Gateway console. You can also view the traffic rate of IPsec-VPN connections in the Cloud Monitor console. For more information, see Cloud service monitoring.

      View the traffic rates of IPsec-VPN connections and tunnels

      Log on to the VPN Gateway console and select the region where the IPsec-VPN connection is deployed. In the navigation pane on the left, choose VPN > IPsec-VPN Connections. On the IPsec-VPN connection page, click the ID of the IPsec-VPN connection. On the IPsec-VPN connection details page, click the Monitoring tab to view the traffic rate.

      For a dual-tunnel IPsec-VPN connection, you can select a Dimension to view the traffic rate of an individual tunnel.监控隧道.png

      Monitoring Dimension

      Metric

      Description

      IPsec-VPN Connection

      Inbound Packet Rate Of IPsec-VPN Connection

      The rate at which the IPsec-VPN connection receives data packets. Unit: pps.

      Outbound Packet Rate Of IPsec-VPN Connection

      The rate at which the IPsec-VPN connection sends data packets. Unit: pps.

      Inbound Rate Of IPsec-VPN Connection

      The rate at which the IPsec-VPN connection receives traffic. Unit: bps.

      Outbound Rate Of IPsec-VPN Connection

      The rate at which the IPsec-VPN connection sends traffic. Unit: bps.

      Tunnel

      Inbound Packet Rate Of Tunnel

      The rate at which the tunnel receives data packets. Unit: pps.

      Outbound Packet Rate Of Tunnel

      The rate at which the tunnel sends data packets. Unit: pps.

      Inbound Traffic Rate Of Tunnel

      The rate at which the tunnel receives traffic. Unit: bps.

      Outbound Traffic Rate Of Tunnel

      The rate at which the tunnel sends traffic. Unit: bps.

      View the traffic rate of a VPN Gateway instance

      If a VPN Gateway instance has multiple IPsec-VPN connections, you can view the traffic rate at the instance level to understand the total traffic rate across all connections.

      Log on to the VPN Gateway console and select the region where the VPN Gateway instance is deployed. On the VPN Gateways page, click the ID of the VPN Gateway instance. On the instance details page, click the Monitor tab to view its traffic rate.

      If the VPN Gateway instance also has SSL-VPN connections, the metrics include the traffic rates of the SSL-VPN connections.

      Metric

      Description

      Inbound Packet Rate Of VPN Gateway

      The rate at which the VPN Gateway instance receives data packets. Unit: packets per second (pps).

      Outbound Packet Rate Of VPN Gateway

      The rate at which the VPN Gateway instance sends data packets. Unit: pps.

      Inbound Traffic Rate Of VPN Gateway

      The rate at which the VPN Gateway instance receives traffic. Unit: bits per second (bps).

      Outbound Traffic Rate Of VPN Gateway

      The rate at which the VPN Gateway instance sends traffic. Unit: bps.

      Number Of SSL Client Connections

      The number of clients connected to the VPN Gateway instance through SSL-VPN. Unit: count.

      Inbound Bandwidth Usage Of VPN Gateway

      The percentage of bandwidth that is used by the VPN Gateway instance for inbound traffic.

      Outbound Bandwidth Usage Of VPN Gateway

      The percentage of bandwidth that is used by the VPN Gateway instance for outbound traffic.

    • Create a threshold-based alert rule for a traffic rate metric

      In the Cloud Monitor console, you can create a threshold-based alert rule for the traffic rate metrics of your IPsec-VPN connection. If the traffic rate exceeds the threshold that you set, the system immediately sends an alert. This lets you respond to and resolve issues promptly.

      Click to view the traffic rate metrics

      Product

      Monitored Resource

      Metrics and Descriptions

      VPN Gateway

      Refers to a scenario where an IPsec-VPN connection is attached to a VPN Gateway.

      VPN Gateway instance

      • Inbound Bandwidth Usage Of VPN Gateway (in_bandwidth_utilization): The percentage of bandwidth used by the VPN Gateway instance for inbound traffic.

      • Outbound Bandwidth Usage Of VPN Gateway (out_bandwidth_utilization): The percentage of bandwidth used by the VPN Gateway instance for outbound traffic.

      • Inbound Packet Rate Of VPN Gateway (net.rxPkgs): The rate at which the VPN Gateway instance receives data packets.

      • Outbound Packet Rate Of VPN Gateway (net.txPkgs): The rate at which the VPN Gateway instance sends data packets.

      • Number Of SSL Client Connections (ssl_client.count): The number of clients connected to the VPN Gateway instance through SSL-VPN.

      • Inbound Bandwidth Of VPN Gateway (net_rx.rate): The rate at which the VPN Gateway instance receives traffic.

      • Outbound Bandwidth Of VPN Gateway (net_tx.rate): The rate at which the VPN Gateway instance sends traffic.

      IPsec-VPN connection

      • Inbound Packet Rate Of IPsec-VPN Connection On VPN Gateway (ipsec.rxPkgs): The rate at which the IPsec-VPN connection receives data packets.

      • Outbound Packet Rate Of IPsec-VPN Connection On VPN Gateway (ipsec.txPkgs): The rate at which the IPsec-VPN connection sends data packets.

      • Inbound Bandwidth Of IPsec-VPN Connection On VPN Gateway (ipsec_rx.rate): The rate at which the IPsec-VPN connection receives traffic.

      • Outbound Bandwidth Of IPsec-VPN Connection On VPN Gateway (ipsec_tx.rate): The rate at which the IPsec-VPN connection sends traffic.

      • BGP Negotiation Status Of IPsec-VPN Connection On VPN Gateway (ipsec.bgp_state): A value of 0 indicates that the BGP negotiation is abnormal. A value of 1 indicates that the BGP negotiation is normal.

      • Negotiation Status Of IPsec-VPN Connection On VPN Gateway (ipsec.state): A value of 0 indicates that the negotiation is abnormal. A value of 1 indicates that the negotiation is normal.

      Tunnel

      • Inbound Packet Rate Of IPsec Tunnel On VPN Gateway (tun.rx_pps): The rate at which the tunnel receives data packets.

      • Outbound Packet Rate Of IPsec Tunnel On VPN Gateway (tun.tx_pps): The rate at which the tunnel sends data packets.

      • Inbound Traffic Rate Of IPsec Tunnel On VPN Gateway (tun.rx_bps): The rate at which the tunnel receives traffic.

      • Outbound Traffic Rate Of IPsec Tunnel On VPN Gateway (tun.tx_bps): The rate at which the tunnel sends traffic.

      • BGP Negotiation Status Of IPsec Tunnel On VPN Gateway (tun.bgp_state): A value of 0 indicates that the BGP negotiation is abnormal. A value of 1 indicates that the BGP negotiation is normal.

      • Negotiation Status Of IPsec Tunnel On VPN Gateway (tun.state): A value of 0 indicates that the negotiation is abnormal. A value of 1 indicates that the negotiation is normal.

      VPN Connection

      Refers to a scenario where an IPsec-VPN connection is attached to a TransitRouter.

      IPsec-VPN connection

      • Inbound Packet Rate Of VPN Connection (vpn_connection.rxPkgs): The rate at which the IPsec-VPN connection receives data packets.

      • Outbound Packet Rate Of VPN Connection (vpn_connection.txPkgs): The rate at which the IPsec-VPN connection sends data packets.

      • Inbound Bandwidth Of VPN Connection (vpn_connection_rx.rate): The rate at which the IPsec-VPN connection receives traffic.

      • Outbound Bandwidth Of VPN Connection (vpn_connection.tx.rate): The rate at which the IPsec-VPN connection sends traffic.

      • BGP Negotiation Status Of IPsec-VPN Connection (vpn_connection.bgp_state): A value of 0 indicates that the BGP negotiation is abnormal. A value of 1 indicates that the BGP negotiation is normal.

      • Negotiation Status Of IPsec-VPN Connection (vpn_connection.state): A value of 0 indicates that the negotiation is abnormal. A value of 1 indicates that the negotiation is normal.

      Tunnel

      • Inbound Packet Rate Of IPsec Tunnel For VPN Connection (vpn_connection_tun.rxPkgs): The rate at which the tunnel receives data packets.

      • Outbound Packet Rate Of IPsec Tunnel For VPN Connection (vpn_connection_tun.txPkgs): The rate at which the tunnel sends data packets.

      • Inbound Bandwidth Of IPsec Tunnel For VPN Connection (vpn_connection_tun.rx.rate): The rate at which the tunnel receives traffic.

      • Outbound Bandwidth Of IPsec Tunnel For VPN Connection (vpn_connection_tun.tx.rate): The rate at which the tunnel sends traffic.

      • BGP Negotiation Status Of IPsec Tunnel For VPN Connection (vpn_connection_tun.bgp_state): A value of 0 indicates that the BGP negotiation is abnormal. A value of 1 indicates that the BGP negotiation is normal.

      • Negotiation Status Of IPsec Tunnel For VPN Connection (vpn_connection_tun.state): A value of 0 indicates that the negotiation is abnormal. A value of 1 indicates that the negotiation is normal.

    Query and analyze IPsec-VPN traffic information

    While monitoring an IPsec-VPN connection, you may need more details about the traffic, such as source and destination IP addresses, source and destination ports, and protocols. You can use the flow log feature to record inbound and outbound traffic information. Then, you can query and analyze the flow logs to understand the IPsec-VPN traffic:

    References

    To query metric data for IPsec-VPN resources by calling an API, you can use the APIs of Cloud Monitor.