A Client Cannot Ping the Private IP Address of an ECS

Symptom

A client is connected to a P2C VPN gateway, but cannot ping the private IP address of an ECS.

Possible Causes

• Ping detection is disabled on the client device or ECS.
• Ping detection packets are denied by a security group of the ECS.
• The local CIDR block of the VPN gateway does not contain the private IP address of the ECS to be accessed.
• The user group to which the user belongs is not configured, or the user group is not configured with the corresponding access policy.
• After the specified IP address of a client is changed and the client automatically reconnects to the server, the route to the local subnet is not generated in the routing table on the Windows operating system.

Procedure

1. Check whether ping detection is disabled in an access control policy of the client device or ECS.

   If so, modify the policy to permit ping detection. For the Windows operating system, you also need to modify the inbound rules of the firewall to permit ICMPv4-In.

2. Verify that the inbound and outbound rules in the ECS's security group permit ICMP packets.
3. Verify that the local CIDR block includes the private IP address of the ECS to be accessed.
   1. On the Server tab page of the VPN gateway, modify the local CIDR block.
   2. Disconnect the client and reconnect it.
   3. Check whether the client device can receive routes advertised by the VPN gateway.
      • On the Windows operating system, run the route print command.
      • On the Linux operating system, run the ip route show all command.
4. Ensure that the user group to which the user belongs and the access policy have been configured in user management.

   The destination CIDR block of the access policy needs to include the private IP address of the ECS to be accessed.

5. Verify that the local CIDR block and client address pool configured on the server meet the following requirements:
   • Local CIDR block: 192.168.1.XX
   • Client address pool: 172.16.0.0
6. On the client, check whether the route to the local CIDR block is generated.
   • If the route is generated, the IP address assigned to the client is 172.16.0.5.
     The command output is as follows:

     IPv4 Routing Table
     ===========================================================================
     Active Routes:
     Network Destination        Netmask          Gateway       Interface  Metric
          192.168.1.XX   255.255.255.0           172.16.0.0      172.16.0.5    281
          192.168.2.XX   255.255.255.0           172.16.0.0      172.16.0.5    281
          192.168.3.XX   255.255.255.0           172.16.0.0      172.16.0.5    281
     ===========================================================================

   • If the route is not generated, disconnect the client and reconnect it.

   If the problem persists, submit a service ticket to contact Huawei technical support.