Cloud VPN gateways send logging information to Cloud Logging, and Cloud VPN tunnels send monitoring metrics to Cloud Monitoring. This page describes logs and metrics and how to view them.
Cloud VPN gateways send certain logs to Logging.
How to view logs
To view logs for Cloud VPN, perform the following steps.
To view logs, go to the Logs viewer.
VPN logs are indexed by the VPN gateway that created them.
- To see all VPN logs, in the first pull-down menu select Cloud VPN Gateway > All gateway_id.
- To see logs for just one gateway, select a single gateway name from the menu.
Log fields of type boolean typically only appear if they have a value of
true. If a boolean field has a value of
false, that field is omitted from the log.
UTF-8 encoding is enforced for log fields. Characters that are not UTF-8 characters are replaced with question marks.
Logging stores Cloud VPN logs for only 30 days. If you want to keep your logs for a longer period, you must export them.
What is logged
Cloud VPN log entries contain information useful for monitoring and debugging your VPN tunnels. Log entries contain the following types of information:
- General information shown in most Google Cloud logs, such as severity, project ID, project number, and timestamp.
- Other information that varies depending on the log entry.
See Checking VPN logs for a list of useful logs.
To view metrics and create alerts related to your VPN tunnels, use Monitoring.
In addition to the predefined dashboards in Cloud Monitoring, you can create custom dashboards, set up alerts, and query the metrics through the Monitoring API.
Viewing Monitoring dashboards
You can view Monitoring dashboards for Cloud VPN in multiple ways.
Viewing metrics in the Monitoring VPN resource
- Go to Monitoring.
Go to Monitoring
If the Monitoring navigation pane displays Resources, then select Resources and select VPN. To view the dashboard for a specific gateway, locate it in the list and then click its name.
Otherwise, select Dashboards, and then select the dashboard named VPN. The Inventory card contains a list of VPNs. To view the dashboard for a specific gateway, locate it in the list and then click its name.
Viewing metrics in Metrics Explorer
To view the metrics for a monitored resource using Metrics Explorer, do the following:
- In the Google Cloud Console, go to Monitoring or use the following button:
Go to Monitoring
- In the Monitoring navigation pane, click Metrics Explorer.
- Ensure Metric is the selected tab.
- Click in the box labeled
Find resource type and metric, and then select from the menu or
enter the name for the resource and metric. Use the following information to complete the
fields for this text box:
- Enter or select Cloud VPN as the Resource. This resource type is valid for either Classic VPN gateways or HA VPN gateways.
- Enter a metric name from Cloud VPN metrics list or select a metric that appears in the menu.
- Use the Filter, Group By, and Aggregator menus to modify how the data is displayed. For example, you can group by resource or metric labels. For more information, see Selecting metrics.
Viewing metrics from within a VPN tunnel
You can also view metrics by clicking the Monitoring tab for a tunnel in the Cloud Console.
In the left pane, you can see various details for this gateway. In the right pane, you can see timeseries graphs. Click the Breakdowns link to see specific breakdowns.
Defining Monitoring alerts
You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition. The general steps for creating an alerting policy that monitors one or more Cloud VPN Gateway resources are as follows:
- In the Google Cloud Console, go to Monitoring.
- In the Monitoring navigation pane, select notificationsAlerting, and then select Create policy.
- Click Add condition:
- The settings in the Target pane specify the resource and metric to be monitored. Click the text box to enable a menu, and then select the resource Cloud VPN Gateway. Next, select a metric from the metrics list.
- The settings in the Configuration pane of the alerting policy determine when the alert is triggered. Most fields in this pane are populated with default values. For more information about the fields in the pane, see Configuration in the Alerting policies documentation.
- Click Add.
- To advance to the notifications section, click Next.
- Optional: To add notifications to your alerting policy, click
Notification channels. In the dialog, select one or more notification
channels from the menu, and then click OK.
If a notification channel that you want to add isn't listed, then click Manage notification channels. You are taken to the Notification channels page in a new browser tab. From this page, you can update the configured notification channels. After you have completed your updates, return to the original tab, click Refresh autorenew, and then select the notification channels to add to the alerting policy.
- To advance to the documentation section, click Next.
- Click Name and enter a name for the alerting policy.
- Optional: Click Documentation, and then add any information that you want included in a notification message.
- Click Save.
Defining Monitoring custom dashboards
You can create custom Monitoring dashboards over Cloud VPN metrics:
- Go to Monitoring.
Go to Monitoring
- Select Dashboards > Create Dashboard.
- Click Add Chart.
- Give the chart a title.
- Select metrics and filters. For metrics, the resource type is Cloud VPN Gateway.
- Click Save.
Monitoring metrics for Cloud VPN
The following metrics for Cloud VPN are reported into Monitoring. Metrics that are not individual events are for the time interval.
|Metric name||Metric name in the Monitoring API||Description|
||Indicates that a tunnel was established.|
|Number of connections||Indicates the number of highly available (HA) connections for each HA VPN gateway.|
||The number of bytes received by the Cloud VPN gateway.|
||The number of packets received by the Cloud VPN gateway.|
|Incoming packets dropped||
||Number of incoming packets dropped by the Cloud VPN gateway.|
||The number of bytes sent by the Cloud VPN gateway.|
||Number of packets sent by the Cloud VPN gateway. Dropped packets are categorized by what caused them to be dropped.|
|Outgoing packets dropped||
||Number of outgoing packets (packets going from the gateway to the peer) dropped by the Cloud VPN gateway.|
HA connection health
The following metrics indicate if the connection for an HA VPN gateway is healthy and if its configuration meets the 99.99% SLA.
When creating a chart, you can find these metrics in the Filter field if you specify Cloud VPN Gateway and Number of connections as the resource type and metric. For more information, see Selecting metrics.
||Indicates if the HA connection has been fully configured, meaning that the connection contains the necessary number of tunnels and is properly connected to a Cloud Router.|
||Indicates if the HA connection is functioning properly on the Google Cloud side. For example, the tunnel is allocated.|
||Indicates if packets are being successfully sent and received inside the HA connection.|
Reasons for drop
When a Cloud VPN gateway drops a packet, the gateway provides a reason for the drop.
|Reason||Description||Source of traffic|
||The dropped packet was an ICMP packet of a size greater than the MTU with the "do not fragment" bit set. Such packets are used for path-mtu-discovery.||GCP VM|
||The first fragment of a UDP or ESP egress packet is greater than the MTU and has the "do not fragment" bit set.||GCP VM|
||A fragment of a UDP or ESP egress packet that is not the first fragment, and which is greater than the MTU and has the "do not fragment" bit set.||GCP VM|
||Packet was invalid or corrupt in some way. For example, the packet may have had an invalid IP header.||GCP VM|
||Packet dropped due to excessive load on the Cloud VPN gateway.||GCP VM|
||Received a fragmented packet from the peer.||Peer VPN gateway|
||A packet has arrived at the gateway with a sequence number greater than the expected sequence number, indicating that a packet with an earlier sequence number might have been dropped.||Peer VPN gateway|
||ESP packet received with a sequence number that had already been received.||Peer VPN gateway|
||Packet was invalid or corrupt in some way. For example, the packet may have had an invalid IP header.||Peer VPN gateway|
||Packet dropped due to excessive load on the Cloud VPN gateway.||Peer VPN gateway|
||Received a packet with unknown SA. Could be as a result of using an SA that is already expired or one that was never negotiated.||Peer VPN gateway|
||Packet was dropped for a reason that the gateway could not or did not know how to categorize.||either|