Ping Tests Between Cloud and On-premises Networks Fail

• Verify that the default security group on the Huawei Cloud management console permits data flows destined for the customer subnet.
  To check the default security group on the Huawei Cloud management console, perform the following steps:

  1. Choose Virtual Private Network > Enterprise – VPN Gateways, and click the name of the VPC associated with the VPN gateway.
  2. Click the number of route tables corresponding to the VPC.
  3. On the Route Tables page, click the name of the route table.
  4. Locate and click the next hop of the active or standby EIP of the VPN gateway.
  5. On the Associated Security Groups tab page, check the ports permitted by the security group.
• Verify that the default security group on the Huawei Cloud management console permits data flows originated from the customer subnet.
• Verify that the default security group on the Huawei Cloud management console permits data flows destined for the local subnet.
• Verify that the default security group on the Huawei Cloud management console permits data flows originated from the local subnet.
• Verify that a security group permits data flows from the ECSs on Huawei Cloud to the customer subnet.

  To check whether such a security group has been configured, choose Compute > Elastic Cloud Server, click an ECS name, click the Security Groups tab, and click Manage Rule.

• Verify that a security group permits data flows from the customer subnet to the ECSs on Huawei Cloud.

• Check whether the ACL rule associated with the interconnection subnet permits the TCP port for traffic between all local and customer subnets.
  1. Choose Virtual Private Network > Enterprise – VPN Gateways, and click the name of target VPN gateway.
  2. In the Basic Information area, check and record the interconnection subnet.
  3. In the Basic Information area, click the name of the associated VPC.
  4. On the Summary tab page of the VPC, click the number of subnets in the Networking Components area.
  5. Find the interconnection subnet in the subnet list, and click the ACL name in the Network ACL column.
  6. Permit the TCP port for traffic between all local and customer subnets.

• Verify that an ACL rule on the customer gateway device permits data flows destined for the local subnet of the Huawei Cloud VPN gateway.
• Verify that an ACL rule on the customer gateway device permits data flows originated from the local subnet of the Huawei Cloud VPN gateway.

To check the local subnet of the Huawei Cloud VPN gateway, choose Virtual Private Network > Enterprise – VPN Gateways, click the VPN gateway name, and view the value of Local Subnet in the Basic Information area.

• Verify that the public network route is correctly configured. That is, the destination address is an EIP of the Huawei Cloud VPN gateway, and the next hop is the egress interface address of the customer gateway device.
• Verify that the private network route is correctly configured. That is, the destination address is the local subnet of the Huawei Cloud VPN gateway, and the next hop is the egress interface address of the customer gateway device.

  To check the local subnet of the Huawei Cloud VPN gateway, choose Virtual Private Network > Enterprise – VPN Gateways, click the VPN gateway name, and view the value of Local Subnet in the Basic Information area.