Troubleshooting

The following troubleshooting guide can help you solve common issues with Cloud VPN.

Check error messages

  1. Go to the VPN page in the Google Cloud Platform Console.
    Go to the VPN page
  2. If you see an exclamation mark (!) icon, hover over it to see the error message.

In many cases, the error message can help you pinpoint the issue. If not, check your logs for more information

Check your logs

Cloud VPN logs are stored in Stackdriver Logging. Logging is automatic and does not need to be enabled.

For your on-premises gateway, view your product documentation for information about viewing logs for that side of the connection.

In many cases, the gateways are configured correctly, but there's a problem in the on-premises network between the hosts and the gateway, or there is a problem with the network between the on-premises gateway and the Cloud VPN gateway.

Check the logs for the following information:

  1. Verify that the peer IP configured on the Cloud VPN gateway is correct.
  2. Verify that traffic flowing from your on-premises hosts is reaching the on-premises gateway.
  3. Verify that traffic is flowing between the two VPN gateways in both directions. In the VPN logs, check for reported incoming messages from the other VPN gateway.
  4. Check that the IKE versions configured is the same on both sides of the tunnel.
  5. Check that the shared secret is the same on both sides of the tunnel.
  6. If you're using NAT-T, check that the NAT firewall or NATs between Cloud VPN and on-premises gateway are correctly configured. Cloud VPN recognizes only a single on-premises VPN gateway by its public IP address when you use NAT-T.
  7. If the VPN logs show a no-proposal-chosen error, this indicates that there was no match between the algorithms configured on the pair of VPN gateways. In IKEv1, the set of algorithms must be a complete match. In IKEv2, there must be one common algorithm between the two configurations. Make sure the Peer VPN gateway is configured to support the values listed in Setting up the peer VPN gateway

If traffic still isn't arriving at its destination, check that your on-premises and Google Cloud Platform routes and firewall rules are configured so that traffic can traverse the tunnel. You might need to contact your network administrator for help.

Tunnel regularly goes down for a few seconds

By default, Cloud VPN negotiates a replacement SA before the existing one expires (also known as rekeying). Your on-premises VPN gateway might not be rekeying. Instead, it might negotiate a new SA only after deleting the existing SA, causing interruptions.

To check whether your on-premises gateway rekeys, view the Cloud VPN logs. If the connection drops and then re-establishes right after a Received SA_DELETE log message, your on-premises gateway didn't rekey. Configure it to rekey.

What's next

Send feedback about...