Diagnoses IPsec-VPN connections.
Operation description
- If the IPsec-VPN connection is in single-tunnel mode, the request parameter
VpnConnectionIds
is required when you call the DiagnoseVpnConnections operation. - If the IPsec-VPN connection is in dual-tunnel mode, the request parameter
TunnelIds
is required when you call the DiagnoseVpnConnections operation. - After you call the DiagnoseVpnConnections operation, if the current IPsec-VPN connection is faulty, the operation returns the corresponding error code (FailedReasonCode) and log (SourceLog). You can troubleshoot based on the error code and log information. For more information, see Common errors and troubleshooting methods for IPsec-VPN connections.
Debugging
Authorization information
The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action
policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:
- Operation: the value that you can use in the Action element to specify the operation on a resource.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level,
All Resources
is used in the Resource type column of the operation.
- Condition Key: the condition key that is defined by the cloud service.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
Operation | Access level | Resource type | Condition key | Associated operation |
---|---|---|---|---|
vpc:DiagnoseVpnConnections | get |
|
| none |
Request parameters
Parameter | Type | Required | Description | Example |
---|---|---|---|---|
RegionId | string | Yes | The region ID of the IPsec-VPN connection. You can call the DescribeRegions operation to query the most recent region list. | cn-qingdao |
VpnGatewayId | string | No | The ID of the VPN gateway. | vpn-bp10hz6b0mbp39flt**** |
VpnConnectionIds | array | No | The IDs of IPsec-VPN connections. | |
string | No | The ID of the IPsec-VPN connection. Note
This parameter is required if the IPsec-VPN connection is in single-tunnel mode.
| vco-bp1spxu8hlcvpd7ry**** | |
TunnelIds | array | No | The list of tunnel IDs. | |
string | No | The tunnel ID. Note
This parameter is required if the IPsec-VPN connection is in dual-tunnel mode.
| tun-64n1sr9dig64k6**** | |
PageNumber | integer | No | The page number. Default value: 1. | 1 |
PageSize | integer | No | The number of entries per page. Default value: 10. | 10 |
Response parameters
Examples
Sample success responses
JSON
format
{
"RequestId": "B8094E1E-935B-1397-96A8-4F87A5D1BF29",
"PageNumber": 1,
"PageSize": 10,
"TotalCount": 1,
"VpnConnections": [
{
"MismatchRemoteParam": "SHA",
"MismatchLocalParam": "SHA256",
"VpnConnectionId": "vco-bp1spxu8hlcvpd7ry****",
"SourceLog": "2023-01-13 11:39:21 vco-bp1spxu8hlcvpd7ry**** [PROTO_ERR]: ikev1.c:1433:isakmp_ph1resend(): phase1 negotiation failed due to time up. [{remote id:4}{ph1: 172.16.0.88[500] <=> 192.168.0.206[500], 172.16.0.88 <=> 192.168.0.206}]",
"FailedReasonCode": "Phase1NegotiationTimeout",
"FailedTime": 1673581161000,
"FailedReason": "Phase1 negotiation timeout",
"Severity": "Warn",
"TunnelId": "tun-64n1sr9dig64k6****"
}
]
}
Error codes
HTTP status code | Error code | Error message | Description |
---|---|---|---|
400 | InvalidParameter | The parameter is invalid. | - |
403 | Forbidden | User not authorized to operate on the specified resource. | You do not have the permissions to manage the specified resource. Apply for the permissions and try again. |
For a list of error codes, visit the Service error codes.