Checking VPN status

After you have configured your peer VPN gateways, you can check the following components to ensure that they are communicating correctly with Cloud VPN:

  • Check the status of the HA VPN or Classic VPN tunnels you've configured, including the operational state.
  • Check the high availability status of tunnels on an HA VPN gateway.
  • View the status of Cloud Router BGP sessions or the routes that Cloud Router is advertising.

Checking HA VPN tunnels

Use this procedure to check the status of tunnels on both interfaces of a HA VPN gateway.

gcloud

There are two steps to viewing tunnel status. First, identify the tunnel name and region, then use the describe command option to view tunnel details. Replace [PROJECT_ID] with the ID of your project.

  1. Identify the name and region of the VPN tunnel whose status you need to check. You can identify the tunnel using either of the following methods:

    1. Option 1: To list all VPN tunnels in your project, enter the following command:
      gcloud beta compute vpn-tunnels list --project [PROJECT_ID]
      
      The command output should look similar to this example:
      NAME                REGION       GATEWAY      VPN_INTERFACE  PEER_ADDRESS
      tunnel-a-to-b-if-0  us-central1  ha-vpn-gw-a  0              10.242.123.165
      tunnel-a-to-b-if-1  us-central1  ha-vpn-gw-a  1              10.220.75.213
      tunnel-b-to-a-if-0  us-central1  ha-vpn-gw-b  0              10.242.127.148
      tunnel-b-to-a-if-1  us-central1  ha-vpn-gw-b  1              10.220.66.156
      

    2. Option 2: If you know the name of the VPN gateway that contains the tunnel, you can retrieve the list of the gateway's associated tunnels by using the following command. Replace [GW_NAME] with the name of the gateway and [REGION] with the region the gateway resides in:

      gcloud beta compute vpn-gateways describe [GW_NAME] \
       --region [REGION] \
       --project [PROJECT_ID] \
       --format='flattened(tunnels)'
      
  2. Once you know the name and region of the tunnel, use the describe option of the vpn-tunnels command to determine the tunnel's status:

     gcloud beta compute vpn-tunnels describe [NAME] \
       --region [REGION] \
       --project [PROJECT_ID] \
       --format='flattened(status,detailedStatus)'
    

    The basic status message and a more detailed message are returned and the command output should look similar to the following example. For a full listing, omit the --format option.

    detailedStatus: Tunnel is up and running.
    

    The following four command output examples show a full listing for a pair of tunnels on each of two HA VPN gateways that are connected to each other. That is, on ha-vpn-gw-a, the tunnels on interface 0 and interface 1 are connected to tunnels on the corresponding interfaces of ha-vpn-gw-b.

    Example 1: tunnel-a-to-b-if-0

     creationTimestamp: '2018-10-11T13:12:33.851-07:00'
     description: ''
     detailedStatus: Tunnel is up and running.
     id: '2919847494518181982'
     ikeVersion: 2
     kind: compute#vpnTunnel
     labelFingerprint: [LABEL_FINGERPRINT]
     localTrafficSelector:
     — 0.0.0.0/0
     name: tunnel-a-to-b-if-0
     peerIp: GW_A_IF_0_IP
     region: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1
     remoteTrafficSelector:
     — 0.0.0.0/0
     router: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1/routers/router-a
     selfLink: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0
     sharedSecret: '*************'
     sharedSecretHash: [SECRET_HASH]
     vpnGateway: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1/vpnGateways/ha-vpn-gw-a
     vpnGatewayInterface: 0
    

    Example 2: tunnel-a-to-b-if-1

     creationTimestamp: '2018-10-11T13:14:21.630-07:00'
     description: ''
     detailedStatus: Tunnel is up and running.
     id: '178016642781024754'
     ikeVersion: 2
     kind: compute#vpnTunnel
     labelFingerprint: [LABEL_FINGERPRINT]
     localTrafficSelector:
     —0.0.0.0/0
     name: tunnel-a-to-b-if-1
     peerIp: GW_B_IF_1_IP
     region: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1
     remoteTrafficSelector:
     — 0.0.0.0/0
     router: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1/routers/router-a
     selfLink: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1
     sharedSecret: '*************'
     sharedSecretHash: [SECRET_HASH]
     vpnGateway: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1/vpnGateways/ha-vpn-gw-a
     vpnGatewayInterface: 1
    

    Example 3: tunnel-b-to-a-if-0

     creationTimestamp: '2018-10-11T13:16:19.345-07:00'
     description: ''
     detailedStatus: Tunnel is up and running.
     id: '1183416925692236156'
     ikeVersion: 2
     kind: compute#vpnTunnel
     labelFingerprint: [LABEL_FINGERPRINT]
     localTrafficSelector:
     — 0.0.0.0/0
     name: tunnel-b-to-a-if-0
     peerIp: GW_A_IF_0_IP
     region: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1
     remoteTrafficSelector:
     — 0.0.0.0/0
     router: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1/routers/router-b
     selfLink: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0
     sharedSecret: '*************'
     sharedSecretHash: [SECRET_HASH]
     vpnGateway: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1/vpnGateways/ha-vpn-gw-b
     vpnGatewayInterface: 0
    

    Example 4: tunnel-b-to-a-if-1

     creationTimestamp: '2018-10-11T13:19:01.562-07:00'
     description: ''
     detailedStatus: Tunnel is up and running.
     id: '8199247227773914842'
     ikeVersion: 2
     kind: compute#vpnTunnel
     labelFingerprint: [LABEL_FINGERPRINT]
     localTrafficSelector:
     — 0.0.0.0/0
     name: tunnel-b-to-a-if-1
     peerIp: GW_A_IF_1_IP
     region: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1
     remoteTrafficSelector:
     — 0.0.0.0/0
     router: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1/routers/router-b
     selfLink: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1
     sharedSecret: '*************'
     sharedSecretHash: [SECRET_HASH]
     vpnGateway: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/us-central1/vpnGateways/ha-vpn-gw-b
     vpnGatewayInterface: 1
    

Checking Classic VPN tunnels

Use this procedure to check the status of tunnels on a Classic VPN gateway.

Console

  1. Go to the Google VPN Tunnels tab on the VPN page in the Google Cloud Platform Console.
    Go to the VPN tunnels tab
  2. A list of tunnels is presented. The status for each is shown in the Status tab.
  3. Click the name of a tunnel to view the VPN tunnel details page. A more descriptive status message is shown below the name of the tunnel.

gcloud

The procedure for checking Classic VPN tunnel status is similar to the one for HA VPN. Replace [PROJECT_ID] with the ID of your project.

  1. Identify the Name and Region of the VPN tunnel whose status you need to check. Once you identify the VPN tunnel, replace [NAME] and [REGION] with its name and region in the next step. You can identify the tunnel using either of these methods:

    1. Option 1: To list all VPN tunnels in your project:
      gcloud compute vpn-tunnels list --project [PROJECT_ID]
      
    2. Option 2: If you know the name of the VPN gateway that contains the tunnel, you can retrieve the list of its associated tunnels by using the following command.

      • Replace [GW_NAME] with the name of the gateway and [REGION] with its region (the same region of the tunnel):
      gcloud compute target-vpn-gateways describe [GW_NAME] \
       --region [REGION] \
       --project [PROJECT_ID] \
       --format='flattened(tunnels)'
      
  2. Describe the tunnel to determine its status using the following command. The basic status message and a more detailed message are returned. For a full listing, omit the --format option.

    gcloud compute vpn-tunnels describe [NAME] \
    --region [REGION] \
    --project [PROJECT_ID] \
    --format='flattened(status,detailedStatus)'
    

Tunnel status messages

Use the following table to interpret tunnel status messages from the Google Cloud Platform console or when using gcloud commands:

Status Detailed Status Message Notes
Allocating resources Allocating resources. VPN tunnel will start soon. This is the initial state for a newly-created Cloud VPN tunnel.
Waiting for full config Waiting for route configuration. Routes or routing configuration is being prepared.
First Handshake Handshake with peer broken for unknown reason. Trying again soon. Phase 1 (IKE SA) negotiation with the peer VPN is in progress. It might have failed at least once.
Established Tunnel is up and running. The tunnel is up, and routes have been configured.
No Incoming Packets No incoming packets from peer No traffic is being received from the peer VPN gateway.

Checking high availability status for HA VPN gateways

Use the compute vpn-gateways get-status command to check the high availability configuration status for tunnels on a HA VPN gateway.

You can also view the Stackdriver monitoring metrics for additional information.

The output of this command displays the high availability redundancy requirement state for VPN tunnels associated with each peer gateway to which the HA VPN gateway is connected.

The peer gateway can be another HA VPN gateway or an external VPN gateway. If there are multiple peer gateways connected to the HA VPN gateway, multiple high availability configuration statuses are displayed, one status per each peer gateway.

The command output indicates the correct tunnel amount and coverage in the following ways:

  • VPN gateways configured with adequate redundancy (coverage) show the status: HighAvailabilityRedundancyRequirementState: CONNECTION_REQUIREMENT_MET.
  • VPN gateways that are not configured with adequate redundancy show the status: HighAvailabilityRedundancyRequirementState: CONNECTION_REDUNDANCY_NOT_MET.
  • If there are not enough tunnels configured between your HA VPN gateway and another HA VPN gateway or a peer gateway, the command output shows: redundancyUnsatisfiedReason: INCOMPLETE_TUNNELS_COVERAGE.

gcloud

  1. To display tunnel status for the HA VPN gateway, enter the command below. Replace the options as noted:

    • [GW-NAME] is the name of the HA VPN gateway.
    • [REGION] is the region where the gateway resides.
     gcloud beta compute vpn-gateways get-status [GW-NAME] \
         --region [REGION]
    

    The following command output shows information for an HA VPN gateway connected to a peer gateway with two interfaces.

     peerGateways:
     — peerExternalGateway: peer-gw
     tunnels:
     — localGatewayInterface: 0
     peerGatewayInterface: 0
     tunnelUrl:
     https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/
     regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0
     — localGatewayInterface: 1
     peerGatewayInterface:1
     tunnelUrl:
     https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/
     regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1
     HighAvailabilityRedundancyRequirementState:
       state: CONNECTION_REDUNDANCY_MET
    

    The following example output is for two HA VPN gateways connected to each other. For this type of configuration, enter the command for each HA VPN gateway name.

    Getting status for `ha-vpn-gw-a` shows its connection to `ha-vpn-gw-b`:

     peerGateways:
     — peerGcpGateway: ha-vpn-gw-b
     tunnels:
     — localGatewayInterface: 0
     peerGatewayInterface: 0
     tunnelUrl:
     https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/
     regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0
     — localGatewayInterface: 1
     peerGatewayInterface: 1
     tunnelUrl:
     https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/
     regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0
     HighAvailabilityRedundancyRequirementState:
       state: CONNECTION_REDUNDANCY_MET
    

    Getting status for `ha-vpn-gw-b` shows its connection to `ha-vpn-gw-a`:

     peerGateways:
     — peerGcpGateway: ha-vpn-gw-a
     tunnels:
     — localGatewayInterface: 0
     peerGatewayInterface: 0
     tunnelUrl:
     https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/
     regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0
     — localGatewayInterface: 1
     peerGatewayInterface: 1
     tunnelUrl:
     https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/
     regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0
     HighAvailabilityRedundancyRequirementState:
       state: CONNECTION_REDUNDANCY_MET
    

    The following example output is for one HA VPN gateway connected to an AWS virtual gateway with two connections and four IP addresses.

     peerGateways:
     - peerExternalGateway: peer-gw
     tunnels:
       - localGatewayInterface: 0
        peerGatewayInterface: 0
        tunnelUrl:
        https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/
        regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-0-ip0
      - localGatewayInterface: 0
        peerGatewayInterface: 1
        tunnelUrl:
        https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/
        regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-0-ip1
      - localGatewayInterface: 1
        peerGatewayInterface: 2
        tunnelUrl:
        https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/
        regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-1-ip0
      - localGatewayInterface: 1
        peerGatewayInterface: 3
        tunnelUrl:
        https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/
        regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-1-ip1
        HighAvailabilityRedundancyRequirementState:
          state: CONNECTION_REDUNDANCY_MET
    

    The following example output is for two HA VPN gateways connected to each other with a single tunnel. This configuration does not meet the 99.99% availability SLA.

    peerGateways:
    - peerGcpGateway: ha-vpn-gw-a
      tunnels:
    - localGatewayInterface: 0
      peerGatewayInterface: 0
      tunnelUrl:
      https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/
      regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0
      HighAvailabilityRedundancyRequirementState:
        state: CONNECTION_REDUNDANCY_NOT_MET
      detailedStatus:
        redundancyUnsatisfiedReason: INCOMPLETE_TUNNELS_COVERAGE
    

Checking BGP status

For tunnels using dynamic routing with BGP, you can also check Cloud Router status to view details such as the status of a router's BGP sessions or the routes that the Cloud Router is advertising.

What's next

Оцените, насколько информация на этой странице была вам полезна:

Оставить отзыв о...

Текущей странице