Viewing logs and metrics

Cloud VPN gateways send logging information to Cloud Logging, and Cloud VPN tunnels send monitoring metrics to Cloud Monitoring. This page describes logs and metrics and how to view them.

To check for VPN tunnel overutilization, use the VPN tunnel utilization recommender.

Viewing logs

Cloud VPN gateways send certain logs to Cloud Logging. Cloud VPN log entries contain useful information for monitoring and debugging your VPN tunnels, such as the following:

  • General information shown in most Google Cloud logs, such as severity, project ID, project number, and timestamp.
  • Other information that varies depending on the log entry.

For a list of useful logs, see VPN logs.

Console

To view logs for Cloud VPN, follow these steps:

  • In the Google Cloud Console, go to the Logs Explorer page.

    Go to Logs Explorer

    VPN logs are indexed by the VPN gateway that created them:

    • To view all VPN logs, in the first drop-down menu, select Cloud VPN gateway, and then click All gateway_id.
    • To view logs for only one gateway, select a single gateway name from the menu.
  • Log fields of type boolean typically only appear if they have a value of true. If a boolean field has a value of false, that field is omitted from the log.

  • UTF-8 encoding is enforced for log fields. Characters that are not UTF-8 characters are replaced with question marks.

Exporting logs

You can configure the export of logs-based metrics for Cloud VPN resource logs.

Cloud Logging stores Cloud VPN logs for only 30 days. If you want to keep your logs for a longer period, you must export them. You can export Cloud VPN logs to Pub/Sub or BigQuery for analysis.

Viewing metrics

To view metrics and create alerts related to your VPN tunnels, use Cloud Monitoring.

In addition to the predefined dashboards in Cloud Monitoring, you can create custom dashboards, set up alerts, and query the metrics by using the Monitoring API or the Cloud Console.

Viewing Monitoring dashboards

The following sections describe the different ways that you can view Monitoring dashboards for Cloud VPN.

View metrics in the Monitoring VPN resource

Console

To use the Monitoring VPN resource to view the metrics for a monitored resource, follow these steps:

  1. In the Google Cloud Console, go to the Monitoring page.

    Go to Monitoring

  2. If the Monitoring navigation pane displays Resources, then select Resources and VPN. To view the dashboard for a specific gateway, locate it in the list, and then click its name.

  3. Otherwise, select Dashboards, and then select the dashboard named VPN. The Inventory card contains a list of VPNs. To view the dashboard for a specific gateway, locate it in the list, and then click its name.

View metrics in Metrics Explorer

Console

To use Metrics Explorer to view the metrics for a monitored resource, follow these steps:

  1. In the Google Cloud Console, go to the Monitoring page.

    Go to Monitoring

  2. In the Monitoring navigation pane, click Metrics Explorer.
  3. Ensure that Metric is the selected tab.
  4. In the Find resource type and metric field, select from the menu or enter the name for the resource and metric. Use the following information to complete the fields:
    1. Enter or select Cloud VPN as the Resource. This resource type is valid for either Classic VPN gateways or HA VPN gateways.
    2. Enter a metric name from the Cloud VPN metrics list, or select a metric that appears in the menu.
  5. To modify how the data is displayed, use the Filter, Group By, and Aggregator menus. For example, you can group by resource or metric labels. For more information, see Selecting metrics.

View metrics from within a VPN tunnel

You can also view metrics in the Cloud Console by clicking the Monitoring tab for a tunnel. This tab shows various timeseries graphs.

Defining Monitoring alerts

Console

You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.

To create an alerting policy that monitors one or more Cloud VPN gateway resources, follow these steps:

  1. In the Google Cloud Console, go to the Monitoring page.

    Go to Monitoring

  2. In the Monitoring navigation pane, select Alerting, and then select Create policy.
  3. Click Add condition:
    1. The settings in the Target pane specify the resource and metric to be monitored. In the Find resource type and metric field, select the resource Cloud VPN gateway. Next, select a metric from the metrics list.
    2. The settings in the Configuration pane of the alerting policy determine when the alert is triggered. Most fields in this pane are populated with default values. For more information about the fields in the pane, see Configuration in the Alerting policies documentation.
    3. Click Add.
  4. To advance to the notifications section, click Next.
  5. Optional: To add notifications to your alerting policy, click Notification channels. In the dialog, select one or more notification channels from the menu, and then click OK.

    If a notification channel that you want to add isn't listed, then click Manage notification channels. You are taken to the Notification channels page in a new browser tab. From this page, you can update the configured notification channels. After you have completed your updates, return to the original tab, click Refresh, and then select the notification channels to add to the alerting policy.

  6. To advance to the documentation section, click Next.
  7. Click Name and enter a name for the alerting policy.
  8. Optional: Click Documentation, and then add any information that you want included in a notification message.
  9. Click Save.
For more information, see Alerting policies.

Defining alerts for VPN tunnel bandwidth

To create alerting policies for the bytes per second (bps) and packets per second (pps) limits described in Network bandwidth, use Monitoring Query Language (MQL).

When entering your queries, follow the instructions in Creating MQL alerting policies (console) and see the following examples:

  • Query for bps: This example query notifies you when the sum of sent_bytes_count and received_bytes_count exceeds 80% of the 3-Gbps (375 MBps) limit for a given VPN tunnel. "MBy" specifies megabytes as the unit of measurement. The value of 300 "MBy" is automatically scaled to compare to val(), which has the unit "Bytes".

    fetch vpn_gateway
    | { metric vpn.googleapis.com/network/sent_bytes_count
    ; metric vpn.googleapis.com/network/received_bytes_count }
    | filter (metric.tunnel_name == 'TUNNEL_NAME')
    | outer_join 0,0
    | value val(0) + val(1)
    | condition val() > 300 "MBy"
    
  • Query for pps: This example query notifies you when the sum of sent_packets_count and received_packets_count exceeds 80% of the maximum recommended packet rate of 250,000 pps for a given VPN tunnel.

    fetch vpn_gateway
    | { metric vpn.googleapis.com/network/sent_packets_count
    ; metric vpn.googleapis.com/network/received_packets_count }
    | filter (metric.tunnel_name == 'TUNNEL_NAME')
    | outer_join 0,0
    | value val(0) + val(1)
    | condition val() > 200000
    

For more information about MQL, see Introduction to Monitoring Query Language.

Defining Monitoring custom dashboards

Console

To create custom Monitoring dashboards over Cloud VPN metrics, follow these steps:

  1. In the Google Cloud Console, go to the Monitoring page.

    Go to Monitoring

  2. In the Monitoring navigation pane, click Dashboards, and then click Create dashboard.

  3. Ensure that the Edit toggle is in the on position.

  4. Click the widget in the Chart library that you want to add to the dashboard. You can also drag the widget from the library to the graph area.

  5. Configure the widget by using the widget's configuration pane, which is displayed when the dashboard is editable and the widget is selected.

  6. In the dashboard toolbar, to activate the Chart library, click Add chart. Repeat the previous steps for each widget that you want to add to the dashboard.

  7. Select metrics and filters. For metrics, the resource type is Cloud VPN gateway.

For more information about configuring the widget, see Adding a widget to a dashboard.

For more information about setting up custom dashboards, see Custom dashboards.

Viewing Monitoring metrics for Cloud VPN

The following metrics for Cloud VPN are reported into Monitoring. Metrics that are not individual events are for the time interval.

The "metric type" strings in this table must be prefixed with vpn.googleapis.com/. That prefix has been omitted from the entries in the table.

Metric type Launch stage
Display name
Kind, Type, Unit
Monitored resources
Description
Labels
gateway/connections GA
Number of connections
GAUGEINT641
vpn_gateway
Indicates the number of HA connections per VPN gateway. Sampled every 60 seconds. After sampling, data is not visible for up to 60 seconds.
configured_for_sla: (BOOL) Whether the HA connection is fully configured for SLA.
gcp_service_health: (BOOL) Whether the Google Cloud side of the HA connection is fully functional.
end_to_end_health: (BOOL) Whether the HA connection is functional end-to-end.
network/dropped_received_packets_count GA
Incoming packets dropped
DELTAINT641
vpn_gateway
Ingress (received from peer VPN) packets dropped for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name: The name of the tunnel.
gateway_name: The name of the gateway managing the tunnel.
network/dropped_sent_packets_count GA
Outgoing packets dropped
DELTAINT641
vpn_gateway
Egress (directed to peer VPN) packets dropped for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name: The name of the tunnel.
gateway_name: The name of the gateway managing the tunnel.
network/received_bytes_count GA
Received bytes
DELTAINT64By
vpn_gateway
Ingress (received from peer VPN) bytes for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name: The name of the tunnel.
gateway_name: The name of the gateway managing the tunnel.
network/received_packets_count GA
Received packets
DELTAINT64{packets}
vpn_gateway
Ingress (received from peer VPN) packets for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 60 seconds.
status: Delivery status, for example, [successful, exceeds_mtu, throttled].
tunnel_name: The name of the tunnel.
network/sent_bytes_count GA
Sent bytes
DELTAINT64By
vpn_gateway
Egress (directed to peer VPN) bytes for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name: The name of the tunnel.
gateway_name: The name of the gateway managing the tunnel.
network/sent_packets_count GA
Sent packets
DELTAINT64{packets}
vpn_gateway
Egress (directed to peer VPN) packets for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 60 seconds.
status: Delivery status, for example, [successful, exceeds_mtu, throttled].
tunnel_name: The name of the tunnel.
tunnel_established GA
Tunnel established
GAUGEDOUBLE1
vpn_gateway
Indicates successful tunnel establishment if > 0. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name: The name of the tunnel.
gateway_name: The name of the gateway managing the tunnel.

Table generated at 2021-06-18 20:11:33 UTC.

Viewing HA connection health metrics

The following metrics indicate if the connection for an HA VPN gateway is healthy and if its configuration meets the 99.99% SLA.

When creating a chart, if you specify the resource type and metric as Cloud VPN gateway and Number of connections, you can find these labels in the Filter field. For more information, see Selecting data to chart.

Status Description
configured_for_sla Indicates if the HA connection has been fully configured, meaning that the connection contains the necessary number of tunnels and is properly connected to a Cloud Router.
gcp_service_health Indicates if the HA connection is functioning properly on the Google Cloud side. For example, the tunnel is allocated.
end_to_end_health Indicates if packets are being successfully sent and received inside the HA connection.

Viewing reasons for drops

When a Cloud VPN gateway drops a packet, the gateway provides a reason for the drop.

Reason Description Source of traffic
dont_fragment_icmp The dropped packet was an ICMP packet of a size greater than the MTU with the do not fragment bit set. Such packets are used for path-mtu-discovery. Google Cloud VM
exceeds_mtu The first fragment of a UDP or ESP egress packet is greater than the MTU and has the do not fragment bit set. Google Cloud VM
dont_fragment_nonfirst_fragment A fragment of a UDP or ESP egress packet that is not the first fragment, and which is greater than the MTU and has the do not fragment bit set. Google Cloud VM
Sent packets::invalid Packet was invalid or corrupt in some way. For example, the packet might have had an invalid IP header. Google Cloud VM
Sent packets::throttled Packet dropped due to excessive load on the Cloud VPN gateway. Google Cloud VM
fragment_received Received a fragmented packet from the peer. Peer VPN gateway
sequence_number_lost A packet has arrived at the gateway with a sequence number greater than the expected sequence number, indicating that a packet with an earlier sequence number might have been dropped. Peer VPN gateway
suspected_replay ESP packet received with a sequence number that had already been received. Peer VPN gateway
Received packets::invalid Packet was invalid or corrupt in some way. For example, the packet might have had an invalid IP header. Peer VPN gateway
Received packets::throttled Packet dropped due to excessive load on the Cloud VPN gateway. Peer VPN gateway
sa_expired Received a packet with unknown Security Association (SA). Could be as a result of using an SA that is already expired or one that was never negotiated. Peer VPN gateway
unknown Packet was dropped for a reason that the gateway could not or did not know how to categorize. Either

What's next

  • To find more information about monitoring, see Cloud Monitoring.
  • To find more information about collecting logs and configuring exports for Cloud VPN, see Cloud Logging.
  • To calculate network throughput within Google Cloud and to your on-premises or third-party cloud locations, see Calculate network throughput.
  • To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.