DiagnoseVpnConnections - Virtual Private Cloud - Alibaba Cloud Documentation Center

Diagnoses IPsec-VPN connections.

Operation description

If the IPsec-VPN connection is in single-tunnel mode, the request parameter VpnConnectionIds is required when you call the DiagnoseVpnConnections operation.
If the IPsec-VPN connection is in dual-tunnel mode, the request parameter TunnelIds is required when you call the DiagnoseVpnConnections operation.
After you call the DiagnoseVpnConnections operation, if the current IPsec-VPN connection is faulty, the operation returns the corresponding error code (FailedReasonCode) and log (SourceLog). You can troubleshoot based on the error code and log information. For more information, see Common errors and troubleshooting methods for IPsec-VPN connections.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
vpc:DiagnoseVpnConnections	get	All Resources *	none	none

Request parameters

Parameter	Type	Required	Description	Example
RegionId	string	Yes	The region ID of the IPsec-VPN connection. You can call the DescribeRegions operation to query the most recent region list.	cn-qingdao
VpnGatewayId	string	No	The ID of the VPN gateway.	vpn-bp10hz6b0mbp39flt****
VpnConnectionIds	array	No	The IDs of IPsec-VPN connections.
	string	No	The ID of the IPsec-VPN connection. Note This parameter is required if the IPsec-VPN connection is in single-tunnel mode.	vco-bp1spxu8hlcvpd7ry****
TunnelIds	array	No	The list of tunnel IDs.
	string	No	The tunnel ID. Note This parameter is required if the IPsec-VPN connection is in dual-tunnel mode.	tun-64n1sr9dig64k6****
PageNumber	integer	No	The page number. Default value: 1.	1
PageSize	integer	No	The number of entries per page. Default value: 10.	10

Response parameters

Parameter	Type	Description	Example
	object	The response parameters.
RequestId	string	The request ID.	B8094E1E-935B-1397-96A8-4F87A5D1BF29
PageNumber	integer	The page number.	1
PageSize	integer	The number of entries per page.	10
TotalCount	integer	The number of entries returned.	1
VpnConnections	array<object>	The diagnostic information.
	object
MismatchRemoteParam	string	If the parameter values configured for the IPsec-VPN connection and the peer gateway device do not match, this parameter indicates the value of the parameter configured for the peer gateway device.	SHA
MismatchLocalParam	string	If the values of the parameters configured for the IPsec-VPN connection and the peer gateway device do not match, this parameter indicates the value of the parameters configured for the IPsec-VPN connection.	SHA256
VpnConnectionId	string	The ID of the IPsec-VPN connection.	vco-bp1spxu8hlcvpd7ry****
SourceLog	string	The log information about the error.	2023-01-13 11:39:21 vco-bp1spxu8hlcvpd7ry**** [PROTO_ERR]: ikev1.c:1433:isakmp_ph1resend(): phase1 negotiation failed due to time up. [{remote id:4}{ph1: 172.16.0.88[500] <=> 192.168.0.206[500], 172.16.0.88 <=> 192.168.0.206}]
FailedReasonCode	string	The error code.	Phase1NegotiationTimeout
FailedTime	long	The timestamp when the current error occurred on the IPsec-VPN connection. Unit: millisecond. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC.	1673581161000
FailedReason	string	The cause of the error.	Phase1 negotiation timeout
Severity	string	The error level. Valid values: Critical Warn Normal	Warn
TunnelId	string	The tunnel ID.	tun-64n1sr9dig64k6****

Examples

Sample success responses

JSONformat

{
  "RequestId": "B8094E1E-935B-1397-96A8-4F87A5D1BF29",
  "PageNumber": 1,
  "PageSize": 10,
  "TotalCount": 1,
  "VpnConnections": [
    {
      "MismatchRemoteParam": "SHA",
      "MismatchLocalParam": "SHA256",
      "VpnConnectionId": "vco-bp1spxu8hlcvpd7ry****",
      "SourceLog": "2023-01-13 11:39:21 vco-bp1spxu8hlcvpd7ry**** [PROTO_ERR]: ikev1.c:1433:isakmp_ph1resend(): phase1 negotiation failed due to time up. [{remote id:4}{ph1: 172.16.0.88[500] <=> 192.168.0.206[500], 172.16.0.88 <=> 192.168.0.206}]",
      "FailedReasonCode": "Phase1NegotiationTimeout",
      "FailedTime": 1673581161000,
      "FailedReason": "Phase1 negotiation timeout",
      "Severity": "Warn",
      "TunnelId": "tun-64n1sr9dig64k6****"
    }
  ]
}

Error codes

HTTP status code	Error code	Error message	Description
400	InvalidParameter	The parameter is invalid.	-
403	Forbidden	User not authorized to operate on the specified resource.	You do not have the permissions to manage the specified resource. Apply for the permissions and try again.

For a list of error codes, visit the Service error codes.