After you have configured your peer VPN gateways, you can check the following components to ensure that they are communicating correctly with Cloud VPN:
- Check the status of the HA VPN or Classic VPN tunnels you've configured, including the operational state.
- Check the high availability status of tunnels on an HA VPN gateway.
- View the status of Cloud Router BGP sessions or the routes that Cloud Router is advertising.
Checking HA VPN tunnels
Use this procedure to check the status of tunnels on both interfaces of a HA VPN gateway.
Console
- Go to the VPN page in the Google Cloud Console.
Go to the VPN page - View the VPN tunnel status and the BGP session status.
- Click the Name of a tunnel to view tunnel details.
- Under Logs, you can click view for Cloud Logging logs.
- You can also modify the BGP session associated with this tunnel.
gcloud
There are two steps to viewing tunnel status. First, identify the tunnel name
and region, then use the describe
command option to view tunnel details.
Replace PROJECT_ID
with the ID of your project.
Identify the name and region of the VPN tunnel whose status you need to check. You can identify the tunnel using either of the following methods:
- Option 1: To list all VPN tunnels in your project, enter the following
command:
gcloud compute vpn-tunnels list --project PROJECT_ID
The command output should look similar to this example:
NAME REGION GATEWAY VPN_INTERFACE PEER_ADDRESS tunnel-a-to-b-if-0 us-central1 ha-vpn-gw-a 0 10.242.123.165 tunnel-a-to-b-if-1 us-central1 ha-vpn-gw-a 1 10.220.75.213 tunnel-b-to-a-if-0 us-central1 ha-vpn-gw-b 0 10.242.127.148 tunnel-b-to-a-if-1 us-central1 ha-vpn-gw-b 1 10.220.66.156
Option 2: If you know the name of the VPN gateway that contains the tunnel, you can retrieve the list of the gateway's associated tunnels by using the following command. Replace
GW_NAME
with the name of the gateway andREGION
with the region the gateway resides in:gcloud compute vpn-gateways describe GW_NAME \ --region REGION \ --project PROJECT_ID \ --format='flattened(tunnels)'
- Option 1: To list all VPN tunnels in your project, enter the following
command:
Once you know the name and region of the tunnel, use the
describe
option of thevpn-tunnels
command to determine the tunnel's status:gcloud compute vpn-tunnels describe NAME \ --region REGION \ --project PROJECT_ID \ --format='flattened(status,detailedStatus)'
The basic status message and a more detailed message are returned and the command output should look similar to the following example. For a full listing, omit the
--format
option.detailedStatus: Tunnel is up and running.
The following four command output examples show a full listing for a pair of tunnels on each of two HA VPN gateways that are connected to each other. That is, on
ha-vpn-gw-a
, the tunnels on interface 0 and interface 1 are connected to tunnels on the corresponding interfaces ofha-vpn-gw-b
.
Example 1: tunnel-a-to-b-if-0
creationTimestamp: '2018-10-11T13:12:33.851-07:00' description: '' detailedStatus: Tunnel is up and running. id: '2919847494518181982' ikeVersion: 2 kind: compute#vpnTunnel labelFingerprint: LABEL_FINGERPRINT localTrafficSelector: — 0.0.0.0/0 name: tunnel-a-to-b-if-0 peerIp: GW_A_IF_0_IP region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 remoteTrafficSelector: — 0.0.0.0/0 router: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0 sharedSecret: '*************' sharedSecretHash: SECRET_HASH vpnGateway: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a vpnGatewayInterface: 0
Example 2: tunnel-a-to-b-if-1
creationTimestamp: '2018-10-11T13:14:21.630-07:00' description: '' detailedStatus: Tunnel is up and running. id: '178016642781024754' ikeVersion: 2 kind: compute#vpnTunnel labelFingerprint: LABEL_FINGERPRINT localTrafficSelector: —0.0.0.0/0 name: tunnel-a-to-b-if-1 peerIp: GW_B_IF_1_IP region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 remoteTrafficSelector: — 0.0.0.0/0 router: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1 sharedSecret: '*************' sharedSecretHash: SECRET_HASH vpnGateway: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a vpnGatewayInterface: 1
Example 3: tunnel-b-to-a-if-0
creationTimestamp: '2018-10-11T13:16:19.345-07:00' description: '' detailedStatus: Tunnel is up and running. id: '1183416925692236156' ikeVersion: 2 kind: compute#vpnTunnel labelFingerprint: LABEL_FINGERPRINT localTrafficSelector: — 0.0.0.0/0 name: tunnel-b-to-a-if-0 peerIp: GW_A_IF_0_IP region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 remoteTrafficSelector: — 0.0.0.0/0 router: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0 sharedSecret: '*************' sharedSecretHash: SECRET_HASH vpnGateway: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-b vpnGatewayInterface: 0
Example 4: tunnel-b-to-a-if-1
creationTimestamp: '2018-10-11T13:19:01.562-07:00' description: '' detailedStatus: Tunnel is up and running. id: '8199247227773914842' ikeVersion: 2 kind: compute#vpnTunnel labelFingerprint: LABEL_FINGERPRINT localTrafficSelector: — 0.0.0.0/0 name: tunnel-b-to-a-if-1 peerIp: GW_A_IF_1_IP region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 remoteTrafficSelector: — 0.0.0.0/0 router: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1 sharedSecret: '*************' sharedSecretHash: SECRET_HASH vpnGateway: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-b vpnGatewayInterface: 1
api
You can use either of the following API calls to view tunnel details.
- To list all VPN tunnels, their attributes, and status in a specific project and region:
make a GET request with the
vpnTunnels.list
method.
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels
- To list the attributes and status of a specific tunnel in a specific project and region:
make a GET request with the
vpnTunnels.get
method.
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels/TUNNEL_NAME
Checking Classic VPN tunnels
Use this procedure to check the status of tunnels on a Classic VPN gateway.
Console
- Go to the VPN page in the Google Cloud Console.
Go to the VPN page - View the VPN tunnel status and the BGP session status.
- Click the Name of a tunnel to view tunnel details.
- Under Logs, you can click view for Logging logs.
- You can also modify the BGP session associated with this tunnel.
gcloud
The procedure for checking Classic VPN tunnel status is
similar to the one for HA VPN. Replace PROJECT_ID
with the ID of your project.
To check the status of a VPN tunnel, identify its Name and Region. In the next step, use this information to replace
NAME
andREGION
. You can identify the tunnel using either of these methods:- Option 1: To list all VPN tunnels in your project:
gcloud compute vpn-tunnels list --project PROJECT_ID
Option 2: If you know the name of the VPN gateway that contains the tunnel, you can retrieve the list of its associated tunnels by using the following command.
- Replace
GW_NAME
with the name of the gateway andREGION
with its region (the same region of the tunnel):
gcloud compute target-vpn-gateways describe GW_NAME \ --region REGION \ --project PROJECT_ID \ --format='flattened(tunnels)'
- Replace
- Option 1: To list all VPN tunnels in your project:
Describe the tunnel to determine its status using the following command. The basic status message and a more detailed message are returned. For a full listing, omit the
--format
option.gcloud compute vpn-tunnels describe NAME \ --region REGION \ --project PROJECT_ID \ --format='flattened(status,detailedStatus)'
api
You can use either of the following API calls to view tunnel details.
- To list all VPN tunnels, their attributes, and status in a specific project and region:
make a GET request with the
vpnTunnels.list
method.
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels
- To list the attributes and status of a specific tunnel in a specific project and region:
make a GET request with the
vpnTunnels.get
method.
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels/TUNNEL_NAME
Checking forwarding rules for Classic VPN
Use this procedure to check the forwarding rules you created for your Classic VPN gateway.
Console
- Go to the VPN page in the Google Cloud Console.
Go to the VPN page - Click a Gateway name.
- On the VPN Details page, view the forwarding rules you created.
gcloud
Enter the following command to view the forwarding rules for
a Classic VPN gateway NAME
in a specific REGION
.
gcloud compute target-vpn-gateways describe NAME --region REGION \ --project PROJECT_ID
API
Use the
targetVpnGateways.get
method to view forwarding rules for a Classic VPN gateway.
Specify the PROJECT_ID
, gateway resource-id (name),
and the REGION
.
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetVpnGateways/RESOURCE_ID
Tunnel status messages
Use the following table to interpret tunnel status messages from the Google Cloud
console or when using gcloud
commands:
Status | Detailed Status Message | Notes |
Allocating resources | Allocating resources. VPN tunnel will start soon. | This is the initial state for a newly-created Cloud VPN tunnel. |
Waiting for full config | Waiting for route configuration. | Routes or routing configuration is being prepared. |
First Handshake | Handshake with peer broken for unknown reason. Trying again soon. | Phase 1 (IKE SA) negotiation with the peer VPN is in progress. It might have failed at least once. |
Established | Tunnel is up and running. | The tunnel is up, and routes have been configured. |
No Incoming Packets | No incoming packets from peer | No traffic is being received from the peer VPN gateway. |
Checking high availability status for HA VPN gateways
Use the compute vpn-gateways get-status
command to check the high availability
configuration status for tunnels on a HA VPN gateway.
You can also view the Cloud Monitoring metrics for additional information.
The output of this command displays the high availability redundancy requirement state for VPN tunnels associated with each peer gateway to which the HA VPN gateway is connected.
The peer gateway can be another HA VPN gateway or an external VPN gateway. If there are multiple peer gateways connected to the HA VPN gateway, multiple high availability configuration statuses are displayed, one status per each peer gateway.
The command output indicates the correct tunnel amount and coverage in the following ways:
- VPN gateways configured with adequate redundancy (coverage) show the
status:
HighAvailabilityRedundancyRequirementState: CONNECTION_REQUIREMENT_MET
. - VPN gateways that are not configured with adequate redundancy show the status:
HighAvailabilityRedundancyRequirementState: CONNECTION_REDUNDANCY_NOT_MET
. If there are not enough tunnels configured between your HA VPN gateway and another HA VPN gateway or a peer gateway, the command output shows:
redundancyUnsatisfiedReason: INCOMPLETE_TUNNELS_COVERAGE
.
Console
- Go to the VPN page in the Google Cloud Console.
Go to the VPN page - Click Gateway name to view gateway details for the gateway and its tunnels. For HA VPN gateways, you can also view high-availability status for the gateway.
gcloud
To display tunnel status for the HA VPN gateway, enter the command below. Replace the options as noted:
GW_NAME
is the name of the HA VPN gateway.REGION
is the region where the gateway resides.
gcloud compute vpn-gateways get-status GW_NAME \ --region REGION
The following command output shows information for an HA VPN
gateway connected to a peer gateway with two interfaces.
peerGateways: — peerExternalGateway: peer-gw tunnels: — localGatewayInterface: 0 peerGatewayInterface: 0 tunnelUrl: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/ regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0 — localGatewayInterface: 1 peerGatewayInterface:1 tunnelUrl: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/ regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1 HighAvailabilityRedundancyRequirementState: state: CONNECTION_REDUNDANCY_MET
The following example output is for two HA VPN gateways connected to each other. For this type of configuration, enter the command for each HA VPN gateway name.
Getting status for `ha-vpn-gw-a` shows its connection to `ha-vpn-gw-b`:
peerGateways: — peerGcpGateway: ha-vpn-gw-b tunnels: — localGatewayInterface: 0 peerGatewayInterface: 0 tunnelUrl: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/ regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0 — localGatewayInterface: 1 peerGatewayInterface: 1 tunnelUrl: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/ regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1 HighAvailabilityRedundancyRequirementState: state: CONNECTION_REDUNDANCY_MET
Getting status for `ha-vpn-gw-b` shows its connection to `ha-vpn-gw-a`:
peerGateways: — peerGcpGateway: ha-vpn-gw-a tunnels: — localGatewayInterface: 0 peerGatewayInterface: 0 tunnelUrl: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/ regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0 — localGatewayInterface: 1 peerGatewayInterface: 1 tunnelUrl: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/ regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1 HighAvailabilityRedundancyRequirementState: state: CONNECTION_REDUNDANCY_MET
The following example output is for one HA VPN gateway connected to an AWS virtual gateway with two connections and four IP addresses.
peerGateways: - peerExternalGateway: peer-gw tunnels: - localGatewayInterface: 0 peerGatewayInterface: 0 tunnelUrl: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/ regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-0-ip0 - localGatewayInterface: 0 peerGatewayInterface: 1 tunnelUrl: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/ regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-0-ip1 - localGatewayInterface: 1 peerGatewayInterface: 2 tunnelUrl: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/ regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-1-ip0 - localGatewayInterface: 1 peerGatewayInterface: 3 tunnelUrl: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/ regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-1-ip1 HighAvailabilityRedundancyRequirementState: state: CONNECTION_REDUNDANCY_MET
The following example output is for two HA VPN gateways connected to each other with a single tunnel. This configuration does not meet the 99.99% availability SLA.
peerGateways: - peerGcpGateway: ha-vpn-gw-a tunnels: - localGatewayInterface: 0 peerGatewayInterface: 0 tunnelUrl: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/ regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0 HighAvailabilityRedundancyRequirementState: state: CONNECTION_REDUNDANCY_NOT_MET detailedStatus: redundancyUnsatisfiedReason: INCOMPLETE_TUNNELS_COVERAGE
api
To get the status of a specific HA VPN gateway in a specific project and region:
make a GET request with the
vpnGateways.getStatus
method.
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/GATEWAY_NAME/getStatus
Checking BGP status
For tunnels using dynamic routing with BGP, you can also check Cloud Router status to view details such as the status of a router's BGP sessions or the routes that the Cloud Router is advertising.
What's next
- Learn about the basic concepts of Cloud VPN
- See Advanced Configurations for information on high-availability, high-throughput scenarios, or multiple subnet scenarios.
- Create a custom Virtual Private Cloud network
- Maintain VPN tunnels and gateways
- View logs and monitoring metrics
- Get troubleshooting help