All Products
Search

This Product

    VPN Gateway:Use Path Analysis

    Document Center

    VPN Gateway:Use Path Analysis

    Last Updated:Dec 01, 2025

    VPN Gateway is integrated with Network Intelligence Service (NIS) to support the path analysis feature. You can use path analysis to diagnose network connectivity for SSL-VPN connections.

    Background information

    To use the path analysis feature, you must specify a source resource and a destination resource. The system then builds a network configuration model between them and analyzes the network connectivity based on the model. If the network is disconnected, the system returns the causes. You can troubleshoot the issue based on the information provided. The system does not send real data packets during the analysis, so your services are not affected.

    For example, you can specify an ECS instance as the source resource and another ECS instance in the same Alibaba Cloud account as the destination resource. If you set the destination port to 22 and the protocol to TCP, you can use path analysis to check whether the source ECS instance can connect to the destination ECS instance over the Secure Shell (SSH) protocol. For more information about path analysis, see Use Path Analysis.

    This topic describes how to use the path analysis feature to diagnose network connectivity for SSL-VPN connections in the following scenarios.

    Prerequisites

    Before you use the path analysis feature, ensure that the client is connected to the VPN Gateway. If the client cannot connect, troubleshoot the issue using the client logs and the SSL-VPN connection logs in the VPN Gateway console. For more information, see Troubleshoot SSL-VPN connection issues and Diagnose a VPN Gateway instance.

    Example: Use an SSL-VPN connection to connect a client to a VPC

    SSL-VPN路径分析

    As shown in the preceding figure, a client uses an SSL-VPN connection to connect to a VPC. The client is connected to the VPN Gateway but cannot access resources in the VPC. In this scenario, you can use path analysis to diagnose the network connectivity between the client and the VPC.

    Important

    To create a path analysis for the SSL-VPN connection, you need the private IP address that the VPN Gateway assigned to the client. Therefore, you must make sure that the client is connected to the VPN Gateway and has obtained a private IP address. You can view the private IP address that is assigned to the client in the VPN Gateway console. For more information, see View the connection information of an SSL client.

    1. Log on to the VPN Gateway console.

    2. In the top menu bar, select the region where the VPN Gateway instance is deployed.

    3. On the VPN Gateways page, find the VPN Gateway instance and, in the Diagnose column, choose Diagnose > Reachability Analyzer.

    4. In the Reachability Analyzer panel, configure the following parameters and click Start Analyzing.

      Traffic from the client to the VPC

      Parameter

      Description

      Source

      Select a Source Type.

      In this example, select VPN Gateway, select the VPN Gateway instance vpn-bp18q**** that is connected to the client, and then enter the private IP address 10.0.0.6 that is assigned by the VPN gateway to the client.

      Destination

      Select a Destination Type.

      In this example, select ECS Instance ID and then select an ECS instance in the VPC.

      Protocol

      Select a protocol for the test.

      In this example, the default value TCP is used.

      Note

      Select a protocol and destination port based on your network environment.

      Destination Port

      Enter the port number of the destination resource.

      In this example, the default value 80 is used.

      Name

      Define a name for the path.

      After you initiate the path analysis, the path is automatically saved. This way, you can initiate the analysis again. You can go to the Network Intelligence Service console to view the list of saved paths.

      Traffic from the VPC to the client

      Parameter

      Description

      Source

      Select a Source Type.

      In this example, select ECS Instance ID and then select an ECS instance in the VPC.

      Destination

      Select a Destination Type.

      In this example, select VPN Gateway, select the VPN Gateway instance vpn-bp18q**** that is connected to the client, and then enter the private IP address 10.0.0.6 that is assigned by the VPN gateway to the client.

      Protocol

      Select a protocol for the test.

      In this example, the default value TCP is used.

      Note

      Select a protocol and destination port based on your network environment.

      Destination Port

      Enter the port number of the destination resource.

      In this example, the default value 80 is used.

      Name

      Define a name for the path.

      After you initiate the path analysis, the path is automatically saved. This way, you can initiate the analysis again. You can go to the Network Intelligence Service console to view the list of saved paths.

    5. In the Reachability Analyzer panel, view the analysis results.

      Troubleshoot the issue based on the analysis results. Then, run the path analysis again to make sure that the path is reachable.

    6. If the system indicates that the path is reachable, the client and the VPC can communicate with each other. You can initiate access from the client.

      If the client and the VPC still cannot communicate, troubleshoot the issue by referring to the SSL-VPN FAQ document. For more information, see SSL-VPN connection FAQ.