How Can I Prevent VPN Disconnections?
VPN connections are renegotiated when the IPsec SA lifetime is about to expire or the data transmitted through a VPN connection exceeds 20 GB. Usually, renegotiation does not interrupt VPN connections.
Most disconnections are caused by incorrect configurations at the two ends of the VPN connection or renegotiation failures due to Internet exceptions.
Common causes for disconnections are as follows:
- ACLs of the devices at both ends of the VPN connection do not match.
- SA lifetime settings at both ends of the VPN connection are different.
- DPD is not configured in your on-premises data center.
- Configuration is modified when the VPN connection is in use.
- Packets are fragmented because the data size exceeds the MTU.
- Jitter occurs on the carrier's network.
As such, ensure that the following VPN configurations are correct to keep VPN connections alive:
- Local and remote subnets are matched pairs.
- SA lifetime settings at both ends of the VPN connection are the same.
- DPD is enabled on the on-premises gateway device, and the number of detection times is 5 or more.
- Parameters are modified at both ends of the VPN connection during the use of the VPN connection.
- Set TCP MAX-MSS to 1300 for the on-premises gateway device.
- The bandwidth of the on-premises gateway is large enough to be used by the VPN connection.
- VPN connection negotiation can be triggered by both ends and active negotiation has been enabled on the on-premises gateway.
- Ping the subnets at both ends continuously. The script is as follows:
#!/bin/sh host=$1 if [ -z $host ]; then echo "Usage: `basename $0` [HOST]" exit 1 fi log_name=$host".log" while :; do result=`ping -W 1 -c 1 $host | grep 'bytes from '` if [ $? -gt 0 ]; then echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is down"| tee -a $log_name else echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is ok -`echo $result | cut -d ':' -f 2`"| tee -a $log_name fi sleep 5 # avoid ping rain done #./ping.sh x.x.x.x >>/dev/null &
- Use the vi editor to copy the preceding script to the ping.sh file.
- Run the chmod 777 ping.sh command to grant permissions to the file.
- Run the ping command:
./ping.sh x.x.x.x >>/dev/null &
x.x.x.x indicates the IP address to be pinged.
- Run the following command:
You can view the ping result in real time.
General Questions FAQs
- What Devices Can Be Connected to Huawei Cloud Through a VPN?
- What Are VPN Negotiation Parameters? What Are Their Default Values?
- Can I Deploy Applications on the Cloud, Databases in an On-premises Data Center, and Then Connect Them Through a VPN?
- Can I Visit Websites Across International Borders Using a VPN?
- What Is a VPN Connection? How Do I Set the Number of VPN Connections When Buying a VPN Gateway?
- Will I Be Notified If a VPN Connection Is Interrupted?
- Are a Username and Password Required for Creating an IPsec VPN Connection?
- What Are the Differences Between the Application Scenarios and Connection Modes of IPsec and SSL VPNs?
- Will an IPsec VPN Connection Be Established Automatically?
- What Will I Be Charged for Creating a VPN? Will I Be Charged for VPN Gateway IP Addresses?
- Can a VPN Gateway IP Address Be Retained After the VPN Gateway Is Deleted?
- Which VPN Resources Can Be Monitored?
- Which Direction of the Bandwidth Is Limited and What Is the Unit of the Bandwidth?
- What Is the Actual Network Speed of a VPN Connection?
- Can a VPN Billed by Traffic Use a Shared Data Package?
- What Are the Relationships Between a VPC, a VPN Gateway, and a VPN Connection?
- What Is a Remote Gateway and Remote Subnet in a VPN Connection?
- How Many VPN Connections Do I Need to Connect to Multiple On-premises Servers?
- Does a VPN Allow for Communications Between Two VPCs?
- What Are the Impacts of a VPN on an On-premises Network? What Are the Changes to the Route for Accessing an ECS?
- Can I Use a Network with Two Egresses to Establish Two VPN Connections with the Same VPC?
- How Can I Prevent VPN Disconnections?
- Why Is Not Connected Displayed as the Status for a Successfully Created VPN Connection?
- What Can I Do If VPN Connection Setup Fails?
- Can an EIP Be Used as a VPN Gateway IP Address?
- Why Is the VPN Connection Always in the Not Connected State Even After Its Configuration Is Complete?
- Do I Need to Configure ACL Rules on the Huawei Cloud Management Console After I Configured ACL Rules on the On-premises Gateway Device?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore