tencent cloud

Symptom

A VPN connection is used to connect a VPC to an IDC and the status of the VPN tunnel is Linked, but the private network cannot be connected.

Possible Causes

If the tunnel is in a normal status yet the private network cannot be connected, the possible causes are as follows:

• No routes directing to the private IP range in the IDC are added in the route table of the VPC subnet.
• The security policy on the VPC/IDC side does not make the corresponding source and destination IPs open to Internet
• No tunnels directing to the private IP range in the IDC are added to the VPN gateway (route-based gateway).
• The firewall of the operating system of private network server on the VPC/IDC side does not allow the customer IP range to pass
• The SPD policy on the VPC/IDC side does not contain the source and destination IPs
• No routing policies are configured in the VPN gateway.

Troubleshooting

1. Check whether the route table of the VPC subnet contains any route whose destination IP address is the private IP range on the IDC side and whose next hop address is the corresponding VPN gateway. Meanwhile, check whether there is any route on the IDC side whose destination IP address is the VPC IP range and whose next hop address is the corresponding VPN tunnel.
   Go to the VPC subnet route table. Click the route table ID to enter the details page and check these aspects:
   
   Execute the command on the IDC side to check the routing (take Huawei’s device as an example):

   display ip routing-table     //Check whether there is any route whose destination IP address is the cloud VPC IP range and whose next hop is the corresponding VPN tunnel
   

   • If so, please go to Step 3.
   • If not, please complete the routing information according to business requirements before going to Step 2.

2. Check whether the communication is back to normal. In other words, log in to a server in the VPC/IDC and use the ping command to test the connectivity of the private IP of the peer server.

   Note：

   To log in to the CVM in the VPC, please see Logging in to Linux Instance or Logging in to a Windows Instance.

   • If it is, the problem is solved.
   • If not, please go to Step 3

3. Check whether the security group associated with the server in the VPC and the network ACL associated with the subnet allow the traffic from the local IDC to pass through. Meanwhile, check whether the IDC allows the traffic from the cloud VPC to pass through.
   Go to the server security group in VPC page. Click the security group ID to enter the “Security Group Rule” page to check:
   
   Go to VPC subnet ACL rule, click the network ACL ID to enter the “Basic Info” page, and click “Inbound Rule” tab to check:
   
   Security policy check on the IDC side (take Huawei Firewall as an example here):

   display   current-configuration   configuration security-policy
   

• If they do, please go to Step 5.
• If not, please make the private IP ranges of the security devices on the security group/network ACL/IDC side open to Internet, and then go to Step 4.

4. Check whether the communication is back to normal. In other words, log in to a server in the VPC/IDC and use the ping command to test the connectivity of the private IP of the peer server.

   • If it is, the problem is solved.
   • If not, please go to Step 5.

5. Check whether the CVM instance in the VPC and the firewall of the operating system of the server on the private network in the IDC have the policy to open the peer IP range to internet.
   Checking the firewall on a Linux server: iptables --list
   Checking the firewall on a Windows server: Control Panel > System and Security > Windows Defender Firewall > Allow an app through Windows Firewall

   • If they do, please go to Step 7.
   • If not, please enable the Internet connectivity of the business which needs to be connected in the private network firewall, and then go to Step 6.

6. Check whether the communication is back to normal. In other words, log in to a server in the VPC/IDC and use the ping command to test the connectivity of the private IP of the peer server.

   • If it is, the problem is solved.
   • If not, please go to Step 7.

7. Check whether the proxy identity (SPD policy) of VPN tunnels on the VPC and IDC sides contains private IP ranges that need to be interconnected.
   Go to the SPD policy page in the VPC console. Click the VPN tunnel ID to enter the Basic information page, and you can check the SPD policy:
   
   SPD policy check on the IDC side (take Huawei Firewall as an example here):

   display current-configuration configuration acl
   

   • If it is, please go to Step 8.
   • If not, please add the missing SPD policies and go to Step 8

8. Check whether the route table of the VPN gateway contains the required routing policy. On the VPN gateway page, click the ID of the target VPN gateway to enter the Route table page, and you can check the routing policies.
   

   • If so, please go to Step 9.
   • If not, specify the next hop on the Route tab and perform step 9.
     

9. Check whether the communication is back to normal. In other words, log in to a server in the VPC/IDC and use the ping command to test the connectivity of the private IP of the peer server.

   • If it is, the problem is solved.
   • If not, please go to Step 10.

10. Collect the troubleshooting information above and submit a ticket or ask the device manufacturer for help.