VPN Gateway:FAQ about SSL-VPN connections

Category

Cause

Solution

Invalid configurations

The configurations of the SSL server or client are invalid.

1. Check whether the CIDR block that the client needs to access in the virtual private cloud (VPC) is specified in the Local Network parameter of the SSL server on the Alibaba Cloud side. For more information, see Modify an SSL server.

2. Check whether the VPN application on the client is properly configured. For more information, see Configure the client.

Expired SSL client certificate

The SSL client certificate is invalid or expired.

1. Check the validity period of the SSL client certificate.

   The default validity period of the SSL client certificate is three years.

2. Delete the current SSL client certificate and all configurations, redownload the certificate, and then install the certificate on the client.

   You must re-download and install the SSL client certificate after you enable or disable two-factor authentication or modify the configurations of the SSL server. For more information, see Download an SSL client certificate.

Excessive client connections

The number of clients connected to the SSL server exceeds the upper limit.

1. Check whether the number of clients connected to the VPN gateway exceeds the upper limit.

   • If the upper limit is exceeded, you must increase the maximum number of concurrent SSL connections supported by the SSL server. For more information, see Modify the maximum number of concurrent SSL connections.

   • If the upper limit is exceeded but you do not want to increase the maximum number of concurrent SSL connections supported by the SSL server, we recommend that you disconnect the clients that you no longer require from the SSL server. Resources are released 5 minutes after you disconnect the clients from the SSL server.

     For more information about how to view the connection information about an SSL client, see View the information about an SSL client.

2. Change the protocol used by the SSL server to TCP. Then, re-download and install the SSL client certificate. For more information, see Modify an SSL server and Download an SSL client certificate.

   This prevents unreliable connections that are created by using UDP and saves the quota for more reliable connections that are created by using TCP.

Issues related to IP addresses

The IP addresses in the VPC conflict with the IP address of the client.

Modify the Local Network (VPC or vSwitch CIDR block) or Client Subnet parameter of the SSL server to avoid IP address conflicts with the client. For more information, see Modify an SSL server.

If a CIDR block that contains only a few IP addresses is specified as the value of the Client CIDR Block parameter of the SSL server, the IP addresses that can be assigned to clients are insufficient.

Make sure that the number of IP addresses provided by the client CIDR block is at least four times the number of SSL-VPN connections. For more information, see Create and manage an SSL server.

For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask of 30 from 192.168.0.0/24, such as 192.168.0.4/30. This subnet provides up to four IP addresses. Then, the system allocates an IP address from 192.168.0.4/30 to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, to ensure that an IP address can be allocated to your client, you must make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the associated VPN gateway.

Issues related to VPN applications

A VPN application conflict occurs on the client.

1. If multiple VPN applications are installed on your client, we recommend that you use only one VPN application to create SSL-VPN connections.

2. Restart the client or reinstall the VPN application on the client. For more information, see Configure the client.

Other causes

The issue occurs due to other causes.

Check the logs of the faulty SSL-VPN connection and troubleshoot the issue. For more information, see Troubleshoot SSL-VPN connection issues.

Category

Cause

Solution

Unstable Internet connection

The Internet connection between the client and the VPN gateway is unstable.

Run the ping or mtr command on your client to access the public IP address of the VPN gateway and check the quality of the Internet connection.

If the Internet connection is unstable and causes a high network latency or high packet loss rate, contact the Internet service provider (ISP) to help troubleshoot the issue.

If you use an SSL-VPN connection over a long distance, such as a connection between the US (Silicon Valley) and Singapore regions, the client may be intermittently disconnected when the client accesses the VPC.

Change the protocol used by the SSL server on the Alibaba Cloud side to TCP to improve the reliability of the connection. For more information, see Modify an SSL server.

If the issue persists after you change the protocol used by the SSL server to TCP, we recommend that you use Cloud Enterprise Network (CEN) and Smart Access Gateway (SAG) to connect the client to the VPC.

SSL server configuration changes

The client is disconnected from the SSL server because the configurations of the SSL server are modified.

After you modify the configurations of the SSL server, reconnect the client to the SSL server.

Category

Cause

Solution

Unstable Internet connection

If you use an SSL-VPN connection over a long distance, such as a connection between the US (Silicon Valley) and Singapore regions, the client may be intermittently disconnected when the client accesses the VPC.

Change the protocol used by the SSL server on the Alibaba Cloud side to TCP to improve the reliability of the connection. For more information, see Modify an SSL server.

If you use the SSL-VPN connection for long-distance communication, such as communication between US (Silicon Valley) and Singapore, and the connectivity issue persists after you change the protocol used by the SSL server to TCP, we recommend that you use Cloud Enterprise Network (CEN) and Smart Access Gateway to connect your client to the virtual private cloud (VPC).

Excessive client connections

The number of clients connected to the SSL server exceeds the upper limit.

1. Check whether the number of clients connected to the VPN gateway exceeds the upper limit.

   • If the upper limit is exceeded, you must increase the maximum number of concurrent SSL connections supported by the SSL server. For more information, see Modify the maximum number of concurrent SSL connections.

   • If the upper limit is exceeded but you do not want to increase the maximum number of concurrent SSL connections supported by the SSL server, we recommend that you disconnect the clients that you no longer require from the SSL server. Resources are released 5 minutes after you disconnect the clients from the SSL server.

     For more information about how to view the connection information about an SSL client, see View the information about an SSL client.

2. Change the protocol used by the SSL server to TCP. Then, re-download and install the SSL client certificate. For more information, see Modify an SSL server and Download an SSL client certificate.

   This prevents unreliable connections that are created by using UDP and saves the quota for more reliable connections that are created by using TCP.

Client exceptions

The client or the VPN application on the client does not run as expected. As a result, the client disconnects from the SSL server.

Restart the client, or reinstall and reconfigure the VPN application. For more information about how to install and configure a VPN application, see Configure the client.

Time synchronization issues

SSL verification fails due to the time difference between the client and the SSL server.

The time difference between the client and the SSL server cannot be longer than 10 minutes. We recommend that you set the system time of the client to the standard time.

1. Check the system time of the client.

   Linux is used in this example. Run the date command on the CLI to check the system time of the client. If the system time of the client is greatly different from the standard time, adjust the system time of the client.

2. Synchronize the latest time from the Network Time Protocol (NTP) service.

   Linux is used in this example. Run the following commands on the CLI to synchronize the system time of the client:

   yum install -y ntp    # Install the NTP service.
   ntpdate pool.ntp.org  # Synchronize the latest time.
   date # Check whether the system time of the client is synchronized.

Cause

Solution

The network access control list (ACL) of the client blocks ping packets.

Check whether the network ACL of the client blocks ping packets. If the network ACL blocks ping packets, modify the network ACL. For more information, see the user guide of the client.

By default, the firewall of a Windows client blocks ping packets. You must configure the inbound rule of the firewall to enable ICMPv4-In.

Problem description

Cause

Solution

The VPC can be reached by ping packets from the client, but the client cannot be reached by ping packets from the VPC.

The network ACL of the client blocks ping packets.

Check whether the network ACL of the client blocks ping packets. If the network ACL blocks ping packets, modify the network ACL. For more information, see the user guide of the client.

By default, the firewall of a Windows client blocks ping packets. You must configure the inbound rule of the firewall to enable ICMPv4-In.

The client can be reached by ping packets from the VPC, but the VPC cannot be reached by ping packets from the client.

The path that is probed when you send ping packets to the VPC from the client is different from the path that is probed when you send ping packets to the client from the VPC.

1. If you use CEN, check the route configurations of each node between the client and the VPC. Make sure that the client and the VPC use the same path to communicate with each other.

2. Check whether the resources accessed by the client in the VPC, such as Elastic Compute Service (ECS) instances, are assigned public IP addresses. If the resources are assigned public IP addresses and the client also uses a public IP address, the VPC may access the client over the Internet instead of the internal network.

Cause

Solution

No routes are configured on the client to route client requests to a DNS server. As a result, the domain name cannot be resolved.

1. Check whether the CIDR block of the DNS server is specified as the value of the Local Network parameter of the SSL server on Alibaba Cloud. This allows the client to learn the route that points to the DNS server.

   For example, if you use Alibaba Cloud DNS PrivateZone to manage domain names, you can specify the 100.100.2.136/32 and 100.100.2.138/32 CIDR blocks as the value of the Local Network parameter of the SSL server. This way, the client can use the domain name resolution service.

2. Run the ping or mtr command on the client to access the application. If the application can be accessed, the client and the SSL server run as expected and the route is valid. In this case, you must further troubleshoot the issue based on the cloud services and application that you deployed.

Category

Cause

Solution

Route issues

The Local Network parameter of the SSL server is not specified or the parameter value is invalid.

1. Check whether the CIDR block that the client needs to access is specified in the Local Network parameter of the SSL server on the Alibaba Cloud side and whether the setting is valid. For more information, see Modify an SSL server.

2. Check whether the client has learned the routes that point to the CIDR blocks specified as the value of the Local Network parameter of the SSL server.

   • For a Windows client, you can run the ipconfig command on the CLI to check the IP address assigned to the client. You can run the route print command to check whether the client has learned the routes that point to the CIDR blocks specified as the value of the Local Network parameter of the SSL server.

   • For a Linux client, you can run the ifconfig command on the CLI to check the IP address assigned to the client. You can run the ip route show all command to check whether the client has learned the routes that point to the CIDR blocks specified as the value of the Local Network parameter of the SSL server.

CIDR block issues

The CIDR blocks specified as the value of the Local Network parameter of the SSL server overlap with the CIDR block specified as the value of the Client CIDR Block parameter.

Check whether the CIDR blocks specified in the Local Network parameter of the SSL server on the Alibaba Cloud side overlap with the CIDR blocks specified in the Client Subnet parameter. For more information, see Modify an SSL server.

An IPsec-VPN connection is created on the VPN gateway that is associated with the SSL server. The IPsec-VPN connection is associated with a route whose destination CIDR block overlaps with the CIDR blocks specified in the Client Subnet parameter of the SSL server.

Change the route that is associated with the IPsec-VPN connection to a specific route or set the Client Subnet parameter of the SSL server to other CIDR blocks. This ensures that the destination CIDR block of the route does not overlap with the CIDR blocks specified in the Client Subnet parameter of the SSL server. For more information, see Modify a policy-based route, Modify a destination-based route, or Modify an SSL server.

Security group issues

The security group rules of the application in the VPC, or the network ACL of the client disallows the VPC and the client to communicate with each other.

1. Check whether the security group rules of the application in the VPC allow the VPC to communicate with the client. For more information, see View security group rules and Add a security group rule.

2. Check whether the network ACL of the client allows the client to communicate with the VPC.

Issues related to VPN applications

If outdated or recent OpenVPN versions are installed on the client, compatibility issues may occur. As a result, the client may fail to receive or process the responses sent by the VPN gateway.

For example, if OpenVPN 2.6.6 is installed on a Windows client, the client fails to send ping packets to cloud resources due to compatibility issues.

We recommend that you use the OpenVPN versions suggested in the VPN Gateway documentation. For more information, see Configure the client.

Category

Cause

Solution

VPN gateway specification issues

A sudden traffic surge occurs during data transfer, which exceeds the maximum bandwidth of the VPN gateway.

You can view the traffic monitoring information of the VPN gateway in the VPN Gateway console to check whether a sudden traffic surge occurs.

You can upgrade the VPN gateway. For more information, see Upgrade or downgrade a VPN gateway.

SSL server configuration issues

The SSL server uses unreliable UDP to establish SSL-VPN connections to the client.

1. Change the protocol used by the SSL server to TCP. TCP is more reliable than UDP. For more information, see Modify an SSL server.

2. Re-download and install the SSL client certificate. For more information, see Download an SSL client certificate and the Step 4: Configure the client section of the "Connect a client to a VPC" topic.

Unstable Internet connection

The Internet connection between the client and the VPN gateway is unstable.

Run the ping or mtr command on your client to access the public IP address of the VPN gateway and check the quality of the Internet connection.

If the Internet connection is unstable, contact the ISP to help troubleshoot the issue.

Category

Cause

Solution

VPN gateway specification issues

A sudden traffic surge occurs during data transfer, which exceeds the maximum bandwidth of the VPN gateway.

You can view the traffic monitoring information of the VPN gateway in the VPN Gateway console to check whether a sudden traffic surge occurs.

You can upgrade the VPN gateway. For more information, see Upgrade or downgrade a VPN gateway.

Low version of VPN Gateway

The forwarding capability of VPN Gateway in earlier versions fails to meet the requirements. The response latency increases when the VPN gateway needs to forward heavy traffic.

If your VPN gateway is created before April 1, 2021, upgrade the VPN gateway. The performance of SSL-VPN connections in later VPN Gateway versions is improved. For more information, see Upgrade or downgrade a VPN gateway.