All Products
Search

This Product

    VPN Gateway:Work with reachability analyzer

    Document Center

    VPN Gateway:Work with reachability analyzer

    Last Updated:Jun 17, 2024

    VPN Gateway works with Network Intelligence Service (NIS) and supports the reachability analyzer feature. This topic describes how to use reachability analyzer to check the connectivity between the resources that use a VPN gateway.

    Background information

    When you use reachability analyzer, you need to specify the source resource and destination resource. Reachability analyzer checks whether the destination is reachable from the source by building a network model. If the destination is unreachable, the system returns the causes. You can troubleshoot based on the information. During the analysis, service data packets are not sent. Therefore, your services are not affected.

    For example, you can specify an Elastic Compute Service (ECS) instance within your Alibaba Cloud account as the source, another ECS instance as the destination, port 22 as the destination port, and TCP as the transmission protocol. Then, reachability analyzer checks whether the source ECS instance can connect to the destination ECS instance over SSH. For more information about reachability analyzer, see Work with the reachability analyzer.

    This topic describes the following scenarios to demonstrate how to use reachability analyzer to check the connectivity of IPsec-VPN connections.

    Before you begin

    If IPsec negotiations fail before you use reachability analyzer to check the connectivity of an IPsec-VPN connection, troubleshoot the issue based on the logs and the error codes prompted by the VPN Gateway console, or by using the instance diagnostics feature of VPN Gateway. For more information, see Troubleshoot IPsec-VPN connection issues and Diagnose a VPN gateway.

    Scenario 1: Use IPsec-VPN to connect a data center to a virtual private cloud (VPC)

    IDCtoVPC-场景示例

    As shown in the preceding figure, in scenarios in which you connect a data center to a VPC by using IPsec-VPN, if IPsec negotiations succeeded but the data center cannot communicate with the VPC, you can troubleshoot by using reachability analyzer.

    1. Log on to the VPN Gateway console.

    2. In the top navigation bar, select the region in which the VPN gateway that you want to manage resides.

    3. On the VPN Gateways page, find the VPN gateway that you want to manage and choose Diagnose > Reachability Analyzer in the Diagnose column.

    4. In the Reachability Analyzer panel, configure the following parameters and click Start Analyzing.

      The following section describes how to create a path in inbound and outbound directions.

      Traffic from the data center to the VPCIDCtoVPC-路径分析1

      Parameter

      Description

      Source

      The type of the source resource.

      In this example, VPN Gateway is selected and the VPN gateway vpn-uf6xkloc**** that is connected to the data center over an IPsec-VPN connection is selected. Then, the private IP address 172.16.0.201 of a server in the data center is used.

      Destination

      The type of the destination resource.

      In this example ECS Instance ID is selected and the ECS instance i-uf6a**** connected to the data center is selected.

      Protocol

      The protocol.

      In this example, the default protocol TCP is used.

      Note

      You can select a protocol and destination port based on the actual network environment.

      Destination Port

      The port number of the destination resource.

      In this example, the default value 80 is used.

      Name

      The name of the path.

      The path is automatically saved after the analysis starts. This way, you can start a path analysis again. You can view the saved paths in the NIS console.

      Traffic from the VPC to the data centerIDCtoVPC-路径分析2

      Parameter

      Description

      Source

      The type of the source resource.

      In this example ECS Instance ID is selected and the ECS instance i-uf6a**** connected to the data center is selected.

      Destination

      The type of the destination resource.

      In this example, VPN Gateway is selected and the VPN gateway vpn-uf6xkloc**** that is connected to the data center over an IPsec-VPN connection is selected. Then, the private IP address 172.16.0.201 of a server in the data center is used.

      Protocol

      The protocol.

      In this example, the default protocol TCP is used.

      Note

      You can select a protocol and destination port based on the actual network environment.

      Destination Port

      The port number of the destination resource.

      In this example, the default value 80 is used.

      Name

      The name of the path.

      The path is automatically saved after the analysis starts. This way, you can start a path analysis again. You can view the saved paths in the NIS console.

    5. View the path analysis result in the Reachability Analyzer panel.

      Troubleshoot issues based on the result and check the path again to make sure that the path is reachable.

    6. In most cases, if the path is reachable, the data center can communicate with the VPC.

      If the data center still cannot communicate with the VPC, troubleshoot based on the FAQ about IPsec-VPN connections topic.

    Scenario 2: Use IPsec-VPN to connect VPCs within the same account across regions

    Important

    For more information about how to create a path in scenarios where IPsec-VPN is used to connect VPCs that belong to different accounts across regions, see Scenario 1.

    VPCtoVPC-场景示例

    As shown in the preceding figure, in scenarios in which you connect VPCs within the same account across regions by using IPsec-VPN, if IPsec negotiations succeeded but ECS instances in the VPCs cannot communicate with each other, you can troubleshoot by using reachability analyzer.

    1. Log on to the VPN Gateway console.

    2. In the top navigation bar, select the region in which the VPN gateway that you want to manage resides.

    3. On the VPN Gateways page, find the VPN gateway that you want to manage and choose Diagnose > Reachability Analyzer in the Diagnose column.

    4. In the Reachability Analyzer panel, configure the following parameters and click Start Analyzing.

      VPCtoVPC-创建路径

      Parameter

      Description

      Source

      The type of the source resource.

      In this example, ECS Instance ID is selected, and ECS1 is selected.

      Destination

      The type of the destination resource.

      In this example, ECS Instance ID is selected, and ECS2 is selected.

      Protocol

      The protocol.

      In this example, the default protocol TCP is used.

      Note

      You can select a protocol and destination port based on the actual network environment.

      Destination Port

      The port number of the destination resource.

      In this example, the default value 80 is used.

      Name

      The name of the path.

      The path is automatically saved after the analysis starts. This way, you can start a path analysis again. You can view the saved paths in the NIS console.

    5. View the path analysis result in the Reachability Analyzer panel.

      VPCtoVPC

      As shown in the preceding figure, ECS1 cannot communicate with ECS2 because the security group rules of ECS2 block requests from ECS1. You need to modify the security group rules of ECS2 and check the path again to make sure that the path is reachable.

      VPCtoVPC-路径可达

    6. In most cases, if the path is reachable, the ECS instances in the VPCs can communicate with each other.

      If the ECS instances still cannot communicate with each other, troubleshoot based on the FAQ about IPsec-VPN connections topic.

    Scenario 3: Use IPsec-VPN to connect multiple on-premises servers

    IDC之间通过VPN互通-场景示例

    As shown in the preceding figure, in scenarios in which you connect multiple on-premise servers by using IPsec-VPN, if IPsec negotiations succeeded but the on-premises servers cannot communicate with each other, you can troubleshoot by using reachability analyzer.

    1. Log on to the VPN Gateway console.

    2. In the top navigation bar, select the region in which the VPN gateway that you want to manage resides.

    3. On the VPN Gateways page, find the VPN gateway that you want to manage and choose Diagnose > Reachability Analyzer in the Diagnose column.

    4. In the Reachability Analyzer panel, configure the following parameters and click Start Analyzing.

      Parameter

      Description

      Source

      The type of the source resource.

      In this example, VPN Gateway is selected and the VPN gateway vpn-uf6xkloc**** that is connected to an on-premises server in Shanghai over an IPsec-VPN connection is selected. Then, the private IP address 172.16.0.221 of the server in Shanghai is used.

      Destination

      The type of the destination resource.

      In this example, VPN Gateway is selected and the VPN gateway vpn-uf6xkloc**** that is connected to an on-premises server in Ningbo over an IPsec-VPN connection is selected. Then, the private IP address 192.168.0.169 of the server in Ningbo is used.

      Protocol

      The protocol.

      In this example, the default protocol TCP is used.

      Note

      You can select a protocol and destination port based on the actual network environment.

      Destination Port

      The port number of the destination resource.

      In this example, the default value 80 is used.

      Name

      The name of the path.

      The path is automatically saved after the analysis starts. This way, you can start a path analysis again. You can view the saved paths in the NIS console.

    5. View the path analysis result in the Reachability Analyzer panel.

      Troubleshoot based on the result and check the path again to make sure that the path is reachable.

    6. In most cases, if the path is reachable, the on-premises servers can communicate with each other.

      If the on-premises servers still cannot communicate with each other, troubleshoot based on the FAQ about IPsec-VPN connections topic.