Help Center/ Virtual Private Network/ Troubleshooting/ The State of a VPN Connection Is Not connected
Updated on 2023-10-20 GMT+08:00

The State of a VPN Connection Is Not connected

Symptom

On the Enterprise – VPN Connections page of the VPN console, the state of a VPN connection is displayed as Not connected.

Possible Causes

  • The configurations at the two ends of the VPN connection are incorrect.
  • The security group configuration on the Huawei Cloud management console or the ACL configuration on the customer gateway device is incorrect.

Procedure

  • Check the configurations at the two ends of the VPN connection.
    • Check whether the gateway IP addresses configured at the two ends of the VPN connection are reversed.
      • To check the active and standby EIPs of the VPN gateway, choose Virtual Private Network > Enterprise – VPN Gateways and view the IP addresses in the Gateway IP Address column.
      • To check the IP address of the customer gateway, choose Virtual Private Network > Enterprise – Customer Gateways and view the IP address in the Gateway IP Address column.
    • Check whether the IKE and IPsec policies at the two ends of the VPN connection are consistent.
      • To view the IKE and IPsec policy settings on the VPN console, choose Virtual Private Network > Enterprise – VPN Connections, locate the target VPN connection, and choose More > Modify Policy Settings.
    • Check whether the PSKs at the two ends of the VPN connection are the same.
      • The PSK cannot be checked on the VPN console. If you are not sure whether the PSK configured on the VPN console is correct, you are advised to change it to be the same as that configured on the customer gateway device.

        To change the PSK on the VPN console, choose Virtual Private Network > Enterprise – VPN Connections, locate the target VPN connection, and choose More > Reset PSK.

    • If the policy-based mode is used, check whether the source and destination CIDR blocks in the policy rules at the two ends of the VPN connection are reversed.

      To check policy rules on the VPN console, choose Virtual Private Network > Enterprise – VPN Connections, locate the target VPN connection, and click Modify VPN Connection.

    • If the static routing mode is used and the NQA function is enabled on the VPN console, check whether tunnel interface IP addresses are correctly configured on the customer gateway device.
      • To check whether NQA is enabled on the VPN console, choose Virtual Private Network > Enterprise – VPN Connections, click the name of the target VPN connection, and view the value of Link Detection on the Summary tab page.
      • To check the tunnel interface IP addresses configured on the VPN console, choose Virtual Private Network > Enterprise – VPN Connections, click Modify VPN Connection, and view the values of Local Interface IP Address and Customer Interface IP Address. The local and remote interface IP addresses configured on the customer gateway device must be the same as the values of Customer Interface IP Address and Local Interface IP Address configured on the VPN console, respectively.
    • If the BGP routing mode is used, check whether the BGP ASNs at the two ends of the VPN connection are reversed.
      • To check the BGP ASN of the VPN gateway, choose Virtual Private Network > Enterprise – VPN Gateways, click the VPN gateway name, and view the BGP ASN in the Basic Information area.
      • To check the BGP ASN of the customer gateway, choose Virtual Private Network > Enterprise – Customer Gateways and view the value in the BGP ASN column.
  • Check the security group configuration on the Huawei Cloud management console and the ACL configuration on the customer gateway device.
    • Check whether the default security group on the Huawei Cloud management console permits traffic of UDP ports 500 and 4500 originated from the public IP address of the customer gateway.
      To check the default security group on the Huawei Cloud management console, perform the following steps:
      1. Choose Virtual Private Network > Enterprise – VPN Gateways, and click the name of the VPC associated with the VPN gateway.
      2. On the Virtual Private Cloud page, click the number in the Route Tables column.
      3. On the Route Tables page, click the name of the route table.
      4. Locate and click the next hop of the active or standby EIP of the VPN gateway.
      5. On the Associated Security Groups tab page, check whether the security group permits traffic of the ports.
    • Verify that an ACL on the customer gateway device permits traffic of UDP ports 500 and 4500 originated from the active and standby EIPs of the VPN gateway.