Viewing logs and metrics

Cloud VPN gateways send logging information to Stackdriver Logging, and Cloud VPN tunnels send monitoring metrics to Stackdriver Monitoring. This page describes logs and metrics and how to view them.

Logs

Cloud VPN gateways send certain logs to Stackdriver Logging.

How to view logs

Use the following instructions to view logs for Cloud VPN.

Console

  1. To view logs, go to the Logs viewer.

    VPN logs are indexed by the VPN gateway that created them.

    • To see all VPN logs, in the first pull-down menu select Cloud VPN Gateway > All gateway_id.
    • To see logs for just one gateway, select a single gateway name from the menu.

    Log fields of type boolean typically only appear if they have a value of true. If a boolean field has a value of false, that field is omitted from the log.

    UTF-8 encoding is enforced for log fields. Characters that are not UTF-8 characters are replaced with question marks.

Exporting logs

You can configure the export of Stackdriver logs based metrics for Cloud VPN resource logs.

Stackdriver stores Cloud VPN logs for only 30 days. If you want to keep your logs for a longer period, you must export them.

You can export Cloud VPN logs to Cloud Pub/Sub or BigQuery for analysis.

What is logged

Cloud VPN log entries contain information useful for monitoring and debugging your VPN tunnels. Log entries contain the following types of information:

  • General information shown in most GCP logs, such as severity, project ID, project number, timestamp, and so on.
  • Other information that varies depending on the log entry.

See Checking VPN logs for a list of useful logs.

Monitoring metrics

Use Stackdriver Monitoring to view metrics and create alerts related to your VPN tunnels.

In addition to the predefined dashboards in Stackdriver, you can create custom dashboards, set up alerts, and query the metrics through the Stackdriver monitoring API.

Viewing Stackdriver monitoring dashboards

  1. Go to Stackdriver in the Google Cloud Platform Console.
    Go to Stackdriver
  2. Select Resources > Cloud VPN Gateway.
  3. Click on a gateway.

You can also view metrics by clicking the Monitoring tab for a tunnel in the GCP Console.

In the left pane, you can see various details for this gateway. In the right pane you can see timeseries graphs. Click the Breakdowns link to see specific breakdowns.

Defining Stackdriver alerts

You can define Stackdriver alerts over various metrics:

  1. Go to Stackdriver in the Google Cloud Platform Console.
    Go to Stackdriver
  2. Select Alerting > Create a Policy.
  3. Click on Add Condition and select condition type.
  4. Select metrics and filters. For metrics, the resource type is Cloud VPN Gateway.
  5. Click Save Condition.
  6. Enter policy name and click Save Policy.

Defining Stackdriver custom dashboards

You can create custom Stackdriver dashboards over Cloud VPN metrics:

  1. Go to Stackdriver in the Google Cloud Platform Console.
    Go to Stackdriver
  2. Select Dashboards > Create Dashboard.
  3. Click on Add Chart.
  4. Give the chart a title.
  5. Select metrics and filters. For metrics, the resource type is Cloud VPN Gateway.
  6. Click Save.

Monitoring metrics for Cloud VPN

The following metrics for Cloud VPN are reported into Stackdriver. Metrics that are not individual events are for the time interval.

Metric Description
Tunnel established Indicates that a tunnel was established.
Number of connections Indicates the number of highly-available (HA) connections for each HA VPN gateway.
Received bytes The number of bytes received by the Cloud VPN gateway.
Received packets The number of packets received by the Cloud VPN gateway.
Incoming packets dropped Number of incoming packets dropped by the Cloud VPN gateway.
Sent bytes The number of bytes sent by the Cloud VPN gateway.
Sent packets Number of packets sent by the Cloud VPN gateway. Dropped packets are broken down by reason.
Outgoing packets dropped Number of outgoing packets (packets going from the gateway to the peer) dropped by the Cloud VPN gateway.

HA connection health

The following metrics indicate whether or not the connection for an HA VPN gateway is healthy and if its configuration meets the 99.99% SLA.

Status Description
configured_for_sla Indicates whether or not the HA connection has been fully configured, meaning that the connection contains the necessary number of tunnels and is properly connected to a Cloud Router.
gcp_service_health Indicates whether or not the HA connection is functioning properly on the GCP side. For example, the tunnel is allocated.
end_to_end_health Indicates whether or not packets are being successfully sent and received inside the HA connection.

Reasons for drop

When a packet is dropped by the Cloud VPN gateway, the gateway provides a reason for the drop.

Reason Description Source of traffic
dont_fragment_icmp The dropped packet was an ICMP packet of a size greater the MTU with the "do not fragment" bit set. Such packets are used for path-mtu-discovery. GCP VM
exceeds_mtu The first fragment of a UDP or ESP egress packet is greater than the MTU and has the "do not fragment" bit set. GCP VM
dont_fragment_nonfirst_fragment A fragment of a UDP or ESP egress packet that is not the first fragment, and which is greater than the MTU and has the "do not fragment" bit set. GCP VM
Sent packets::invalid Packet was invalid or corrupt in some way. For example, the packet may have had an invalid IP header. GCP VM
Sent packets::throttled Packet dropped due to excessive load on the Cloud VPN gateway. GCP VM
fragment_received Received a fragmented packet from the peer. Peer VPN gateway
sequence_number_lost A packet has arrived at the gateway with a sequence number past the expected sequence number, indicating that a packet with an earlier sequence number may have been dropped. Peer VPN gateway
suspected_replay ESP packet received with sequence number that had already been received. Peer VPN gateway
Received packets::invalid Packet was invalid or corrupt in some way. For example, the packet may have had an invalid IP header. Peer VPN gateway
Received packets::throttled Packet dropped due to excessive load on the Cloud VPN gateway. Peer VPN gateway
sa_expired Received a packet with unknown SA. Could be as a result of using an SA that is already expired or one that was never negotiated. Peer VPN gateway
unknown Packet was dropped for a reason that the gateway could not or did not know how to categorize. either

What's next

หน้านี้มีประโยชน์ไหม โปรดแสดงความคิดเห็น