All Products
Search

This Product

    VPN Gateway:Work with reachability analyzer

    Document Center

    VPN Gateway:Work with reachability analyzer

    Last Updated:Nov 21, 2023

    VPN Gateway works with Network Intelligence Service (NIS) and supports the reachability analyzer feature. This topic describes how to use reachability analyzer to check the connectivity between the resources that use a VPN gateway.

    Background information

    When you use reachability analyzer, you need to specify the source resource and destination resource. Reachability analyzer checks whether the destination is reachable from the source by building a network model. If the destination is unreachable, the system returns the causes. You can troubleshoot based on the information. During the analysis, service data packets are not sent. Therefore, your services are not affected.

    For example, you can specify an Elastic Compute Service (ECS) instance within your Alibaba Cloud account as the source, another ECS instance as the destination, port 22 as the destination port, and TCP as the transmission protocol. Then, reachability analyzer checks whether the source ECS instance can connect to the destination ECS instance over SSH. For more information about reachability analyzer, see Work with reachability analyzer.

    This topic uses the following scenarios as examples to describe how to use reachability analyzer to check the connectivity between resources that use a VPN gateway.

    Prerequisites

    • If IPsec negotiations fail before you use reachability analyzer to check the connectivity of an IPsec-VPN connection, troubleshoot based on the logs and the error codes prompted by the VPN Gateway console, or by using the instance diagnostics feature of VPN Gateway. For more information, see Troubleshoot IPsec-VPN connection issues and Diagnose VPN gateways.

    • If a client fails to connect to a VPN gateway before you use reachability analyzer to check the connectivity of an SSL-VPN connection, troubleshoot based on the logs of the client and the logs of the SSL-VPN connection in the VPN Gateway console. Make sure that the client is connected to the VPN gateway before you use reachability analyzer. For more information, see Troubleshoot SSL-VPN connection issues and Diagnose VPN gateways.

    Scenario 1: Use IPsec-VPN to connect a data center to a virtual private cloud (VPC)

    IDCtoVPC-场景示例

    As shown in the preceding figure, in scenarios in which you connect a data center to a VPC by using IPsec-VPN, if IPsec negotiations succeeded but the data center cannot communicate with the VPC, you can troubleshoot by using reachability analyzer.

    1. Log on to the NIS console.
    2. In the left-side navigation pane, choose Self-service Diagnosis > Reachability Analyzer.

    3. On the Reachability Analyzer page, click Start Analyzing.

    4. On the Start Analyzing page, configure the following parameters and click Start Analyzing.

      The following section describes how to create a path in inbound and outbound directions.

      Traffic from the data center to the VPCIDCtoVPC-路径分析1

      Parameter

      Description

      Source

      Select a source type.

      In this example, VPN Gateway is selected and the VPN gateway vpn-uf6xkloc**** that is connected to the data center over an IPsec-VPN connection is selected. Then, the private IP address 172.16.0.201 of a server in the data center is used.

      Destination

      Select a destination type.

      In this example, ECS is selected and the ECS instance i-uf6a**** in the VPC that is connected to the data center is selected.

      Protocol

      Select a protocol.

      In this example, the default protocol TCP is used.

      Note

      Select a protocol and a destination port based on the actual network environment.

      Destination Port

      Enter the port number of the destination resource.

      In this example, the default value 80 is used.

      Storage Path

      Specify whether to save the path. If you save the path, you can quickly retest the path. Default value: No.

      If you save the path, you can enter a name for the path and add tags to the path.

      Traffic from the VPC to the data centerIDCtoVPC-路径分析2

      Parameter

      Description

      Source

      Select a source type.

      In this example, ECS is selected and the ECS instance i-uf6a**** in the VPC that is connected to the data center is selected.

      Destination

      Select a destination type.

      In this example, VPN Gateway is selected and the VPN gateway vpn-uf6xkloc**** that is connected to the data center over an IPsec-VPN connection is selected. Then, the private IP address 172.16.0.201 of a server in the data center is used.

      Protocol

      Select a protocol.

      In this example, the default protocol TCP is used.

      Note

      Select a protocol and a destination port based on the actual network environment.

      Destination Port

      Enter the port number of the destination resource.

      In this example, the default value 80 is used.

      Storage Path

      Specify whether to save the path. If you save the path, you can quickly retest the path. Default value: No.

      If you save the path, you can enter a name for the path and add tags to the path.

    5. View the result on the details page of the path.

      Troubleshoot based on the result and check the path again to make sure that the path is reachable.

    6. In most cases, if the path is reachable, the data center can communicate with the VPC.

      If the data center still cannot communicate with the VPC, troubleshoot based on the FAQ about IPsec-VPN connections topic.

    Scenario 2: Use IPsec-VPN to connect VPCs within the same account across regions

    Important

    For more information about how to create a path in scenarios where IPsec-VPN is used to connect VPCs that belong to different accounts across regions, see Scenario 1.

    VPCtoVPC-场景示例

    As shown in the preceding figure, in scenarios in which you connect VPCs within the same account across regions by using IPsec-VPN, if IPsec negotiations succeeded but ECS instances in the VPCs cannot communicate with each other, you can troubleshoot by using reachability analyzer.

    1. Log on to the NIS console.
    2. In the left-side navigation pane, choose Self-service Diagnosis > Reachability Analyzer.

    3. On the Reachability Analyzer page, click Start Analyzing.

    4. On the Start Analyzing page, configure the following parameters and click Start Analyzing.

      VPCtoVPC-创建路径

      Parameter

      Description

      Source

      Select a source type.

      In this example, ECS is selected. Then, ECS1 is selected.

      Destination

      Select a destination type.

      In this example, ECS is selected. Then, ECS2 is selected.

      Protocol

      Select a protocol.

      In this example, the default protocol TCP is used.

      Note

      Select a protocol and a destination port based on the actual network environment.

      Destination Port

      Enter the port number of the destination resource.

      In this example, the default value 80 is used.

      Storage Path

      Specify whether to save the path. If you save the path, you can quickly retest the path. Default value: No.

      If you save the path, you can enter a name for the path and add tags to the path.

    5. View the result on the details page of the path.

      VPCtoVPC

      As shown in the preceding figure, ECS1 cannot communicate with ECS2 because the security group rules of ECS2 block requests from ECS1. Modify the security group rules of ECS2 and check the path again to make sure that the path is reachable.

      VPCtoVPC-路径可达

    6. In most cases, if the path is reachable, the ECS instances in the VPCs can communicate with each other.

      If the ECS instances still cannot communicate with each other, troubleshoot based on the FAQ about IPsec-VPN connections topic.

    Scenario 3: Use IPsec-VPN to connect multiple on-premises servers

    IDC之间通过VPN互通-场景示例

    As shown in the preceding figure, in scenarios in which you connect multiple on-premise servers by using IPsec-VPN, if IPsec negotiations succeeded but the on-premises servers cannot communicate with each other, you can troubleshoot by using reachability analyzer.

    1. Log on to the NIS console.
    2. In the left-side navigation pane, choose Self-service Diagnosis > Reachability Analyzer.

    3. On the Reachability Analyzer page, click Start Analyzing.

    4. On the Start Analyzing page, configure the following parameters and click Start Analyzing.

      Parameter

      Description

      Source

      Select a source type.

      In this example, VPN Gateway is selected and the VPN gateway vpn-uf6xkloc**** that is connected to an on-premises server in Shanghai over an IPsec-VPN connection is selected. Then, the private IP address 172.16.0.221 of the server in Shanghai is used.

      Destination

      Select a destination type.

      In this example, VPN Gateway is selected and the VPN gateway vpn-uf6xkloc**** that is connected to an on-premises server in Ningbo over an IPsec-VPN connection is selected. Then, the private IP address 192.168.0.169 of the server in Ningbo is used.

      Protocol

      Select a protocol.

      In this example, the default protocol TCP is used.

      Note

      Select a protocol and a destination port based on the actual network environment.

      Destination Port

      Enter the port number of the destination resource.

      In this example, the default value 80 is used.

      Storage Path

      Specify whether to save the path. If you save the path, you can quickly retest the path. Default value: No.

      If you save the path, you can enter a name for the path and add tags to the path.

    5. View the result on the details page of the path.

      Troubleshoot based on the result and check the path again to make sure that the path is reachable.

    6. In most cases, if the path is reachable, the on-premises servers can communicate with each other.

      If the on-premises servers still cannot communicate with each other, troubleshoot based on the FAQ about IPsec-VPN connections topic.

    Scenario 4: Use SSL-VPN to connect a client to a VPC

    SSL-VPN路径分析

    The preceding figure shows the scenario where you use SSL-VPN to connect a client to a VPC, and the client is connected to the VPN gateway. However, the client cannot access resources in the VPC. In this case, you can use reachability analyzer to check the connectivity between the client and the VPC.

    Important

    When reachability analyzer creates a path for the SSL-VPN connection, the private IP address assigned to the client is required. Therefore, make sure that the client is connected to the VPN gateway and is assigned a private IP address. You can log on to the VPN Gateway console to view the private IP address assigned to the client. For more information, see View the connection information of an SSL client.

    1. Log on to the NIS console.
    2. In the left-side navigation pane, choose Self-service Diagnosis > Reachability Analyzer.

    3. On the Reachability Analyzer page, click Start Analyzing.

    4. On the Start Analyzing page, configure the following parameters and click Start Analyzing.

      Traffic from the client to the VPC

      Parameter

      Description

      Source

      Select a source type.

      In this example, VPN Gateway is selected and the VPN gateway vpn-bp18q**** is selected. The private IP address assigned to the client is 10.0.0.6.

      Destination

      Select a destination type.

      In this example, ECS is selected and an ECS instance in the VPC is selected.

      Protocol

      Select a protocol.

      In this example, the default protocol TCP is used.

      Note

      Select a protocol and a destination port based on the actual network environment.

      Destination Port

      Enter the port number of the destination resource.

      In this example, the default value 80 is used.

      Storage Path

      Specify whether to save the path. If you save the path, you can quickly retest the path. Default value: No.

      If you save the path, you can enter a name for the path and add tags to the path.

      Traffic from the VPC to the client

      Parameter

      Description

      Source

      Select a source type.

      In this example, ECS is selected and an ECS instance in the VPC is selected.

      Destination

      Select a destination type.

      In this example, VPN Gateway is selected and the VPN gateway vpn-bp18q**** is selected. The private IP address assigned to the client is 10.0.0.6.

      Protocol

      Select a protocol.

      In this example, the default protocol TCP is used.

      Note

      Select a protocol and a destination port based on the actual network environment.

      Destination Port

      Enter the port number of the destination resource.

      In this example, the default value 80 is used.

      Storage Path

      Specify whether to save the path. If you save the path, you can quickly retest the path. Default value: No.

      If you save the path, you can enter a name for the path and add tags to the path.

    5. View the result on the details page of the path.

      Troubleshoot based on the result and check the path again to make sure that the path is reachable.

    6. In most cases, if the path is reachable, the client can communicate with the VPC. You can initiate requests from the client.

      If the client cannot communicate with the VPC, troubleshoot based on the FAQ about SSL-VPN connections topic.