Checking VPN status

After you have configured your peer VPN gateways, you can check the following components to ensure that they are communicating correctly with Cloud VPN:

Check the status of the HA VPN or Classic VPN tunnels you've configured, including the operational state.
Check the high availability status of tunnels on an HA VPN gateway.
View the status of Cloud Router BGP sessions or the routes that Cloud Router is advertising.

Checking HA VPN tunnels

Use this procedure to check the status of tunnels on both interfaces of a HA VPN gateway.

Console

Go to the VPN page in the Google Cloud Console.
Go to the VPN page
View the VPN tunnel status and the BGP session status.
Click the Name of a tunnel to view tunnel details.
Under Logs, you can click view for Cloud Logging logs.
You can also modify the BGP session associated with this tunnel.

gcloud

There are two steps to viewing tunnel status. First, identify the tunnel name and region, then use the describe command option to view tunnel details. Replace PROJECT_ID with the ID of your project.

Identify the name and region of the VPN tunnel whose status you need to check. You can identify the tunnel using either of the following methods:

Option 1: To list all VPN tunnels in your project, enter the following command:

gcloud compute vpn-tunnels list --project PROJECT_ID

The command output should look similar to this example:

NAME                REGION       GATEWAY      VPN_INTERFACE  PEER_ADDRESS
tunnel-a-to-b-if-0  us-central1  ha-vpn-gw-a  0              10.242.123.165
tunnel-a-to-b-if-1  us-central1  ha-vpn-gw-a  1              10.220.75.213
tunnel-b-to-a-if-0  us-central1  ha-vpn-gw-b  0              10.242.127.148
tunnel-b-to-a-if-1  us-central1  ha-vpn-gw-b  1              10.220.66.156

Option 2: If you know the name of the VPN gateway that contains the tunnel, you can retrieve the list of the gateway's associated tunnels by using the following command. Replace GW_NAME with the name of the gateway and REGION with the region the gateway resides in:
```
gcloud compute vpn-gateways describe GW_NAME \
 --region REGION \
 --project PROJECT_ID \
 --format='flattened(tunnels)'
```

Once you know the name and region of the tunnel, use the describe option of the vpn-tunnels command to determine the tunnel's status:

 gcloud compute vpn-tunnels describe NAME \
   --region REGION \
   --project PROJECT_ID \
   --format='flattened(status,detailedStatus)'

The basic status message and a more detailed message are returned and the command output should look similar to the following example. For a full listing, omit the --format option.

detailedStatus: Tunnel is up and running.

The following four command output examples show a full listing for a pair of tunnels on each of two HA VPN gateways that are connected to each other. That is, on ha-vpn-gw-a, the tunnels on interface 0 and interface 1 are connected to tunnels on the corresponding interfaces of ha-vpn-gw-b.

Example 1: tunnel-a-to-b-if-0

 creationTimestamp: '2018-10-11T13:12:33.851-07:00'
 description: ''
 detailedStatus: Tunnel is up and running.
 id: '2919847494518181982'
 ikeVersion: 2
 kind: compute#vpnTunnel
 labelFingerprint: LABEL_FINGERPRINT
 localTrafficSelector:
 — 0.0.0.0/0
 name: tunnel-a-to-b-if-0
 peerIp: GW_A_IF_0_IP
 region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1
 remoteTrafficSelector:
 — 0.0.0.0/0
 router: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a
 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0
 sharedSecret: '*************'
 sharedSecretHash: SECRET_HASH
 vpnGateway: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a
 vpnGatewayInterface: 0

Example 2: tunnel-a-to-b-if-1

 creationTimestamp: '2018-10-11T13:14:21.630-07:00'
 description: ''
 detailedStatus: Tunnel is up and running.
 id: '178016642781024754'
 ikeVersion: 2
 kind: compute#vpnTunnel
 labelFingerprint: LABEL_FINGERPRINT
 localTrafficSelector:
 —0.0.0.0/0
 name: tunnel-a-to-b-if-1
 peerIp: GW_B_IF_1_IP
 region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1
 remoteTrafficSelector:
 — 0.0.0.0/0
 router: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a
 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1
 sharedSecret: '*************'
 sharedSecretHash: SECRET_HASH
 vpnGateway: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a
 vpnGatewayInterface: 1

Example 3: tunnel-b-to-a-if-0

 creationTimestamp: '2018-10-11T13:16:19.345-07:00'
 description: ''
 detailedStatus: Tunnel is up and running.
 id: '1183416925692236156'
 ikeVersion: 2
 kind: compute#vpnTunnel
 labelFingerprint: LABEL_FINGERPRINT
 localTrafficSelector:
 — 0.0.0.0/0
 name: tunnel-b-to-a-if-0
 peerIp: GW_A_IF_0_IP
 region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1
 remoteTrafficSelector:
 — 0.0.0.0/0
 router: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b
 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0
 sharedSecret: '*************'
 sharedSecretHash: SECRET_HASH
 vpnGateway: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-b
 vpnGatewayInterface: 0

Example 4: tunnel-b-to-a-if-1

 creationTimestamp: '2018-10-11T13:19:01.562-07:00'
 description: ''
 detailedStatus: Tunnel is up and running.
 id: '8199247227773914842'
 ikeVersion: 2
 kind: compute#vpnTunnel
 labelFingerprint: LABEL_FINGERPRINT
 localTrafficSelector:
 — 0.0.0.0/0
 name: tunnel-b-to-a-if-1
 peerIp: GW_A_IF_1_IP
 region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1
 remoteTrafficSelector:
 — 0.0.0.0/0
 router: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b
 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1
 sharedSecret: '*************'
 sharedSecretHash: SECRET_HASH
 vpnGateway: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-b
 vpnGatewayInterface: 1

api

You can use either of the following API calls to view tunnel details.

To list all VPN tunnels, their attributes, and status in a specific project and region:

make a GET request with the vpnTunnels.list method.

  GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels

To list the attributes and status of a specific tunnel in a specific project and region:

make a GET request with the vpnTunnels.get method.

  GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels/TUNNEL_NAME

Checking Classic VPN tunnels

Use this procedure to check the status of tunnels on a Classic VPN gateway.

Console

Go to the VPN page in the Google Cloud Console.
Go to the VPN page
View the VPN tunnel status and the BGP session status.
Click the Name of a tunnel to view tunnel details.
Under Logs, you can click view for Logging logs.
You can also modify the BGP session associated with this tunnel.

gcloud

The procedure for checking Classic VPN tunnel status is similar to the one for HA VPN. Replace PROJECT_ID with the ID of your project.

To check the status of a VPN tunnel, identify its Name and Region. In the next step, use this information to replace NAME and REGION. You can identify the tunnel using either of these methods:
1. Option 1: To list all VPN tunnels in your project:
```
gcloud compute vpn-tunnels list --project PROJECT_ID
```
2. Option 2: If you know the name of the VPN gateway that contains the tunnel, you can retrieve the list of its associated tunnels by using the following command.
  - Replace GW_NAME with the name of the gateway and REGION with its region (the same region of the tunnel):
```
gcloud compute target-vpn-gateways describe GW_NAME \
 --region REGION \
 --project PROJECT_ID \
 --format='flattened(tunnels)'
```
Describe the tunnel to determine its status using the following command. The basic status message and a more detailed message are returned. For a full listing, omit the --format option.
```
gcloud compute vpn-tunnels describe NAME \
--region REGION \
--project PROJECT_ID \
--format='flattened(status,detailedStatus)'
```

api

You can use either of the following API calls to view tunnel details.

To list all VPN tunnels, their attributes, and status in a specific project and region:

make a GET request with the vpnTunnels.list method.

  GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels

To list the attributes and status of a specific tunnel in a specific project and region:

make a GET request with the vpnTunnels.get method.

  GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels/TUNNEL_NAME

Checking forwarding rules for Classic VPN

Use this procedure to check the forwarding rules you created for your Classic VPN gateway.

Console

Go to the VPN page in the Google Cloud Console.
Go to the VPN page
Click a Gateway name.
On the VPN Details page, view the forwarding rules you created.

gcloud

Enter the following command to view the forwarding rules for a Classic VPN gateway NAME in a specific REGION.

  gcloud compute target-vpn-gateways describe NAME --region REGION \
    --project PROJECT_ID

API

Use the targetVpnGateways.get method to view forwarding rules for a Classic VPN gateway. Specify the PROJECT_ID, gateway resource-id (name), and the REGION.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetVpnGateways/RESOURCE_ID

Tunnel status messages

Use the following table to interpret tunnel status messages from the Google Cloud console or when using gcloud commands:

Status	Detailed Status Message	Notes
Allocating resources	Allocating resources. VPN tunnel will start soon.	This is the initial state for a newly-created Cloud VPN tunnel.
Waiting for full config	Waiting for route configuration.	Routes or routing configuration is being prepared.
First Handshake	Handshake with peer broken for unknown reason. Trying again soon.	Phase 1 (IKE SA) negotiation with the peer VPN is in progress. It might have failed at least once.
Established	Tunnel is up and running.	The tunnel is up, and routes have been configured.
No Incoming Packets	No incoming packets from peer	No traffic is being received from the peer VPN gateway.

Checking high availability status for HA VPN gateways

Use the compute vpn-gateways get-status command to check the high availability configuration status for tunnels on a HA VPN gateway.

You can also view the Cloud Monitoring metrics for additional information.

The output of this command displays the high availability redundancy requirement state for VPN tunnels associated with each peer gateway to which the HA VPN gateway is connected.

The peer gateway can be another HA VPN gateway or an external VPN gateway. If there are multiple peer gateways connected to the HA VPN gateway, multiple high availability configuration statuses are displayed, one status per each peer gateway.

The command output indicates the correct tunnel amount and coverage in the following ways:

VPN gateways configured with adequate redundancy (coverage) show the status: HighAvailabilityRedundancyRequirementState: CONNECTION_REQUIREMENT_MET.
VPN gateways that are not configured with adequate redundancy show the status: HighAvailabilityRedundancyRequirementState: CONNECTION_REDUNDANCY_NOT_MET.
If there are not enough tunnels configured between your HA VPN gateway and another HA VPN gateway or a peer gateway, the command output shows: redundancyUnsatisfiedReason: INCOMPLETE_TUNNELS_COVERAGE.

Console

Go to the VPN page in the Google Cloud Console.
Go to the VPN page
Click Gateway name to view gateway details for the gateway and its tunnels. For HA VPN gateways, you can also view high-availability status for the gateway.

gcloud

To display tunnel status for the HA VPN gateway, enter the command below. Replace the options as noted:

GW_NAME is the name of the HA VPN gateway.
REGION is the region where the gateway resides.

  gcloud compute vpn-gateways get-status GW_NAME \
      --region REGION

The following command output shows information for an HA VPN gateway connected to a peer gateway with two interfaces.

  peerGateways:
  — peerExternalGateway: peer-gw
  tunnels:
  — localGatewayInterface: 0
    peerGatewayInterface: 0
    tunnelUrl:
    https://www.googleapis.com/compute/v1/projects/PROJECT_ID/
    regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0
  — localGatewayInterface: 1
    peerGatewayInterface:1
    tunnelUrl:
    https://www.googleapis.com/compute/v1/projects/PROJECT_ID/
    regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1
    HighAvailabilityRedundancyRequirementState:
      state: CONNECTION_REDUNDANCY_MET

The following example output is for two HA VPN gateways connected to each other. For this type of configuration, enter the command for each HA VPN gateway name.

Getting status for `ha-vpn-gw-a` shows its connection to `ha-vpn-gw-b`:

  peerGateways:
  — peerGcpGateway: ha-vpn-gw-b
  tunnels:
  — localGatewayInterface: 0
    peerGatewayInterface: 0
    tunnelUrl:
    https://www.googleapis.com/compute/v1/projects/PROJECT_ID/
    regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0
  — localGatewayInterface: 1
    peerGatewayInterface: 1
    tunnelUrl:
    https://www.googleapis.com/compute/v1/projects/PROJECT_ID/
    regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1
    HighAvailabilityRedundancyRequirementState:
      state: CONNECTION_REDUNDANCY_MET

Getting status for `ha-vpn-gw-b` shows its connection to `ha-vpn-gw-a`:

  peerGateways:
  — peerGcpGateway: ha-vpn-gw-a
  tunnels:
  — localGatewayInterface: 0
    peerGatewayInterface: 0
    tunnelUrl:
    https://www.googleapis.com/compute/v1/projects/PROJECT_ID/
    regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0
  — localGatewayInterface: 1
    peerGatewayInterface: 1
    tunnelUrl:
    https://www.googleapis.com/compute/v1/projects/PROJECT_ID/
    regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1
    HighAvailabilityRedundancyRequirementState:
      state: CONNECTION_REDUNDANCY_MET

The following example output is for one HA VPN gateway connected to an AWS virtual gateway with two connections and four IP addresses.

  peerGateways:
  - peerExternalGateway: peer-gw
  tunnels:
   - localGatewayInterface: 0
     peerGatewayInterface: 0
     tunnelUrl:
     https://www.googleapis.com/compute/v1/projects/PROJECT_ID/
     regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-0-ip0
   - localGatewayInterface: 0
     peerGatewayInterface: 1
     tunnelUrl:
     https://www.googleapis.com/compute/v1/projects/PROJECT_ID/
     regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-0-ip1
   - localGatewayInterface: 1
     peerGatewayInterface: 2
     tunnelUrl:
     https://www.googleapis.com/compute/v1/projects/PROJECT_ID/
     regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-1-ip0
   - localGatewayInterface: 1
     peerGatewayInterface: 3
     tunnelUrl:
     https://www.googleapis.com/compute/v1/projects/PROJECT_ID/
     regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-1-ip1
     HighAvailabilityRedundancyRequirementState:
       state: CONNECTION_REDUNDANCY_MET

The following example output is for two HA VPN gateways connected to each other with a single tunnel. This configuration does not meet the 99.99% availability SLA.

  peerGateways:
    - peerGcpGateway: ha-vpn-gw-a
    tunnels:
    - localGatewayInterface: 0
      peerGatewayInterface: 0
      tunnelUrl:
      https://www.googleapis.com/compute/v1/projects/PROJECT_ID/
      regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0
      HighAvailabilityRedundancyRequirementState:
        state: CONNECTION_REDUNDANCY_NOT_MET
      detailedStatus:
        redundancyUnsatisfiedReason: INCOMPLETE_TUNNELS_COVERAGE

api

To get the status of a specific HA VPN gateway in a specific project and region:

make a GET request with the vpnGateways.getStatus method.

  GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/GATEWAY_NAME/getStatus

Checking BGP status

For tunnels using dynamic routing with BGP, you can also check Cloud Router status to view details such as the status of a router's BGP sessions or the routes that the Cloud Router is advertising.

What's next

Learn about the basic concepts of Cloud VPN
See Advanced Configurations for information on high-availability, high-throughput scenarios, or multiple subnet scenarios.
Create a custom Virtual Private Cloud network
Maintain VPN tunnels and gateways
View logs and monitoring metrics
Get troubleshooting help

Configuring the peer VPN gateway