All Products
Search
Document Center

Virtual Private Cloud:DiagnoseVpnConnections

Last Updated:Aug 29, 2024

Diagnoses IPsec-VPN connections.

Operation description

  • If the IPsec-VPN connection is in single-tunnel mode, the request parameter VpnConnectionIds is required when you call the DiagnoseVpnConnections operation.
  • If the IPsec-VPN connection is in dual-tunnel mode, the request parameter TunnelIds is required when you call the DiagnoseVpnConnections operation.
  • After you call the DiagnoseVpnConnections operation, if the current IPsec-VPN connection is faulty, the operation returns the corresponding error code (FailedReasonCode) and log (SourceLog). You can troubleshoot based on the error code and log information. For more information, see Common errors and troubleshooting methods for IPsec-VPN connections.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
vpc:DiagnoseVpnConnectionsget
  • All Resources
    *
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
RegionIdstringYes

The region ID of the IPsec-VPN connection.

You can call the DescribeRegions operation to query the most recent region list.

cn-qingdao
VpnGatewayIdstringNo

The ID of the VPN gateway.

vpn-bp10hz6b0mbp39flt****
VpnConnectionIdsarrayNo

The IDs of IPsec-VPN connections.

stringNo

The ID of the IPsec-VPN connection.

Note This parameter is required if the IPsec-VPN connection is in single-tunnel mode.
vco-bp1spxu8hlcvpd7ry****
TunnelIdsarrayNo

The list of tunnel IDs.

stringNo

The tunnel ID.

Note This parameter is required if the IPsec-VPN connection is in dual-tunnel mode.
tun-64n1sr9dig64k6****
PageNumberintegerNo

The page number. Default value: 1.

1
PageSizeintegerNo

The number of entries per page. Default value: 10.

10

Response parameters

ParameterTypeDescriptionExample
object

The response parameters.

RequestIdstring

The request ID.

B8094E1E-935B-1397-96A8-4F87A5D1BF29
PageNumberinteger

The page number.

1
PageSizeinteger

The number of entries per page.

10
TotalCountinteger

The number of entries returned.

1
VpnConnectionsarray<object>

The diagnostic information.

object
MismatchRemoteParamstring

If the parameter values configured for the IPsec-VPN connection and the peer gateway device do not match, this parameter indicates the value of the parameter configured for the peer gateway device.

SHA
MismatchLocalParamstring

If the values of the parameters configured for the IPsec-VPN connection and the peer gateway device do not match, this parameter indicates the value of the parameters configured for the IPsec-VPN connection.

SHA256
VpnConnectionIdstring

The ID of the IPsec-VPN connection.

vco-bp1spxu8hlcvpd7ry****
SourceLogstring

The log information about the error.

2023-01-13 11:39:21 vco-bp1spxu8hlcvpd7ry**** [PROTO_ERR]: ikev1.c:1433:isakmp_ph1resend(): phase1 negotiation failed due to time up. [{remote id:4}{ph1: 172.16.0.88[500] <=> 192.168.0.206[500], 172.16.0.88 <=> 192.168.0.206}]
FailedReasonCodestring

The error code.

Phase1NegotiationTimeout
FailedTimelong

The timestamp when the current error occurred on the IPsec-VPN connection. Unit: millisecond.

This value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC.

1673581161000
FailedReasonstring

The cause of the error.

Phase1 negotiation timeout
Severitystring

The error level. Valid values:

  • Critical
  • Warn
  • Normal
Warn
TunnelIdstring

The tunnel ID.

tun-64n1sr9dig64k6****

Examples

Sample success responses

JSONformat

{
  "RequestId": "B8094E1E-935B-1397-96A8-4F87A5D1BF29",
  "PageNumber": 1,
  "PageSize": 10,
  "TotalCount": 1,
  "VpnConnections": [
    {
      "MismatchRemoteParam": "SHA",
      "MismatchLocalParam": "SHA256",
      "VpnConnectionId": "vco-bp1spxu8hlcvpd7ry****",
      "SourceLog": "2023-01-13 11:39:21 vco-bp1spxu8hlcvpd7ry**** [PROTO_ERR]: ikev1.c:1433:isakmp_ph1resend(): phase1 negotiation failed due to time up. [{remote id:4}{ph1: 172.16.0.88[500] <=> 192.168.0.206[500], 172.16.0.88 <=> 192.168.0.206}]",
      "FailedReasonCode": "Phase1NegotiationTimeout",
      "FailedTime": 1673581161000,
      "FailedReason": "Phase1 negotiation timeout",
      "Severity": "Warn",
      "TunnelId": "tun-64n1sr9dig64k6****"
    }
  ]
}

Error codes

HTTP status codeError codeError messageDescription
400InvalidParameterThe parameter is invalid.-
403ForbiddenUser not authorized to operate on the specified resource.You do not have the permissions to manage the specified resource. Apply for the permissions and try again.

For a list of error codes, visit the Service error codes.