All Products
Search

This Product

    VPN Gateway:Use the reachability analyzer feature

    Document Center

    VPN Gateway:Use the reachability analyzer feature

    Last Updated:Jun 17, 2024

    VPN Gateway is integrated with Network Intelligence Service (NIS) and supports the reachability analyzer feature. You can use the reachability analyzer feature to diagnose the connectivity of SSL-VPN connections.

    Background information

    When you use the reachability analyzer feature, you need to specify the source resource and destination resource. This feature checks whether the destination is reachable from the source by building a network model. If the destination is unreachable, the system returns the causes. You can troubleshoot the issue based on the returned information. During the analysis, the system does not send service data packets. Therefore, your services are not affected.

    For example, you can specify an Elastic Compute Service (ECS) instance within your Alibaba Cloud account as the source, another ECS instance as the destination, port 22 as the destination port, and TCP as the transmission protocol. Then, the reachability analyzer feature checks whether the source ECS instance can connect to the destination ECS instance over SSH. For more information about this feature, see Work with the reachability analyzer.

    This topic provides an example on how to use the reachability analyzer feature to diagnose the connectivity between resources when you use SSL-VPN connections.

    Before you begin

    If a client fails to connect to a VPN gateway before you use the reachability analyzer feature to check the connectivity of an SSL-VPN connection, troubleshoot the issue based on the logs of the client and the logs of the SSL-VPN connection in the VPN Gateway console. Make sure that the client is connected to the VPN gateway before you use the reachability analyzer feature. For more information, see Troubleshoot SSL-VPN connection issues and Diagnose a VPN gateway.

    Example: Use an SSL-VPN connection to connect a client to a VPC

    SSL-VPN路径分析

    The preceding figure shows the scenario where you use an SSL-VPN connection to connect a client to a virtual private cloud (VPC), and the client is connected to a VPN gateway. However, the client cannot access resources in the VPC. In this case, you can use the reachability analyzer feature to check the connectivity between the client and the VPC.

    Important

    When you use the reachability analyzer feature for the SSL-VPN connection, the private IP address that is assigned to the client is required. Therefore, make sure that the client is connected to the VPN gateway and is assigned a private IP address. You can log on to the VPN Gateway console to view the private IP address assigned to the client. For more information, see View the information about an SSL client.

    1. Log on to the VPN Gateway console.

    2. In the top navigation bar, select the region in which the VPN gateway is deployed.

    3. On the VPN Gateways page, find the VPN gateway and choose Diagnose > Reachability Analyzer in the Diagnose column.

    4. In the Reachability Analyzer panel, configure the following parameters and click Start Analyzing.

      Traffic from the client to the VPC

      Parameter

      Description

      Source

      The type of the source resource.

      In this example, VPN Gateway is selected and the VPN gateway vpn-bp18q**** is selected. The private IP address assigned to the client is 10.0.0.6.

      Destination

      The type of the destination resource.

      In this example, ECS Instance ID is selected and an ECS instance in the VPC is selected.

      Protocol

      The protocol.

      In this example, the default protocol TCP is used.

      Note

      Select a protocol and a destination port based on the actual network environment.

      Destination Port

      The port number of the destination resource.

      In this example, the default value 80 is used.

      Name

      The name of the path.

      The path is automatically saved after the analysis starts. This way, you can start a path analysis again. You can log on to the NIS console to view the saved paths.

      Traffic from the VPC to the client

      Parameter

      Description

      Source

      The type of the source resource.

      In this example, ECS Instance ID is selected and an ECS instance in the VPC is selected.

      Destination

      The type of the destination resource.

      In this example, VPN Gateway is selected and the VPN gateway vpn-bp18q**** is selected. The private IP address assigned to the client is 10.0.0.6.

      Protocol

      The protocol.

      In this example, the default protocol TCP is used.

      Note

      Select a protocol and a destination port based on the actual network environment.

      Destination Port

      The port number of the destination resource.

      In this example, the default value 80 is used.

      Name

      The name of the path.

      The path is automatically saved after the analysis starts. This way, you can start a path analysis again. You can log on to the NIS console to view the saved paths.

    5. View the analysis result in the Reachability Analyzer panel.

      If the path is unreachable, troubleshoot the issue based on the analysis result and start an analysis again to ensure that the path is reachable.

    6. In most cases, if the path is reachable, the client can communicate with the VPC and you can initiate requests from the client.

      If the client cannot communicate with the VPC, troubleshoot and resolve the issue. For more information, see FAQ about SSL-VPN connections.