The content of this page has been automatically translated by AI. If you encounter any problems while reading, you can view the corresponding content in Chinese.
Help & Documentation>VPN Connections>Troubleshooting>VPN Tunnel Connected Yet Private Network Unconnected

VPN Tunnel Connected Yet Private Network Unconnected

Last updated: 2024-09-26 10:42:55

On this page:

Phenomenon Description

Use VPN Connections to establish communication between the VPC and IDC. The VPN tunnel status is Connected, but the private network cannot be connected. The phenomenon is as follows: The VPN tunnel status is Connected:

The VPC side server cannot ping the private IP on the IDC side:


Possible Reasons

If the tunnel is in a normal status yet the private network cannot be connected, the possible causes are as follows:
The VPC subnet route table has not added a route pointing to the private IP range on the IDC side
The security policy on the VPC/IDC side does not make the corresponding source and destination IPs open to Internet
The VPN gateway has not added a channel (routing type) pointing to the private IP range on the IDC side
The firewall of the operating system of private network server on the VPC/IDC side does not allow the customer IP range to pass
The SPD policy on the VPC/IDC side does not contain the source and destination IPs
The VPN gateway has not configured a routing policy

Processing Procedures

1. Check the VPC subnet route table to see if there is a route whose destination is the private IP range on the IDC side and whose next hop address is the corresponding VPN gateway. Also, check whether the IDC side has a route whose destination is the VPC IP range and whose next hop is the corresponding VPN tunnel. Go to the VPC subnet route table, click the route table ID, and enter the details page to check:

Execute the command on the IDC side to check the routing (take Huawei devices as an example):
display ip routing-table     //Check whether there is any route whose destination IP address is the cloud VPC IP range and whose next hop is the corresponding VPN tunnel
If so, proceed to Step 3.
If not, please complete the routing information according to business requirements before proceeding to Step 2.
2. Check if communication has resumed normally, that is, log in to a server in VPC/IDC, ping the internal IP of the peer server.
Note
To log in to the CVM in the VPC, please refer to logging in to Linux Instance or logging in to Windows Instance.
If so, communication is normal, the issue is resolved, and the process ends.
If not, please proceed to Step 3.
3. Check whether the security group associated with the server in the VPC and the network ACL associated with the subnet allow traffic from the on-premises IDC, and also check if the IDC side allows traffic from the cloud-based VPC. Go to the VPC server security group interface, click on the security group ID, enter the "Security Group Rules" page to check:

Go to the VPC subnet ACL rules, click on the network ACL ID, enter the "Basic Information" page, click on the "Inbound Rules" tab to check:

Check the security policies on the IDC side (taking Huawei Firewall as an example):
display   current-configuration   configuration security-policy
If they do, please go to Step 5.
If not, please allow the private IP ranges that need to communicate in the security group/Network ACL/IDC side security devices, and then go to Step 4.
4. Check
whether the communication is restored
, i.e. log in to a server in the VPC/IDC and ping the private IP of the peer server.
If so, communication is normal, the issue is resolved, and the process ends.
If not, please go to Step 5.
5. Check respectively the operating system built-in firewalls of the V
PC cloud server and the IDC internal server
, and whether they have policies to allow the peer network segment. For Linux servers, check the firewall with:iptables --list For Windows servers, check the firewall via Control Panel/System and Security/Windows Firewall/Allowed Apps
If they do, please go to Step 7.
If not, please allow the business network segments that need to be connected in the firewall of the internal server, and then go to Step 6.
6. Check
whether the communication is restored
, i.e. log in to a server in the VPC/IDC and ping the private IP of the peer server.
If so, communication is normal, the issue is resolved, and the process ends.
If not, please go to Step 7.
7. Check separately
whether the SPD policies
of the VPN tunnels on both the VPC and IDC sides include the required internal network segments. Go to VPC-side SPD Policy, click on the VPN tunnel ID, go to the "Basic Information" page to check the SPD policy:

IDC-side SPD policy check (using Huawei firewall as an example):
display current-configuration configuration acl
If so, please go to Step 8.
If not, please add the missing SPD policies and then go to Step 8.
8. Check whether the routing table of the VP
N gateway contains
the corresponding routing policies. Go to the VPN gateway, click on the VPN gateway ID, go to the "Routing Table" page to check the routing policies.

If so, please go to Step 9.
If not, set the next hop on the VPN gateway > Routing tab, and then go to Step 9.

9. Check
whether the communication is restored
, i.e. log in to a server in the VPC/IDC and ping the private IP of the peer server.
If so, communication is normal, the issue is resolved, and the process ends.
If not, please go to Step 10.
10. Please collect
the above information
and submit a work order or contact the equipment manufacturer for follow-up.
中国站 - English