The State of a VPN Connection Is Not connected

Symptom

On the Enterprise – VPN Connections page of the VPN console, the state of a VPN connection is displayed as Not connected.

Possible Causes

• The configurations at the two ends of the VPN connection are incorrect.
• The security group configuration on the Huawei Cloud management console or the ACL configuration on the customer gateway device is incorrect.
• The IPsec VPN connection negotiation fails or the connection is disconnected.

Procedure

1. Reset VPN connections.

   If the problem persists, go to 2.

2. Check the configurations at the two ends of the VPN connections.
   1. Check whether the gateway IP addresses configured at the two ends of the VPN connection are reversed.
      1. To check the active and standby EIPs of the VPN gateway, choose Virtual Private Network > Enterprise – VPN Gateways and view the IP addresses in the Gateway IP Address column.
      2. To check the IP address of the customer gateway, choose Virtual Private Network > Enterprise – Customer Gateways and view the IP address in the Identifier column.
         • If the gateway IP addresses at both ends are not reversed, modify the corresponding settings.
         • If the gateway IP addresses at both ends are reversed, go to b.
   2. Check whether the IKE and IPsec policies at both ends are consistent.

      Choose Virtual Private Network > Enterprise – VPN Connections, locate the target VPN connection, and choose More > Modify Policy Settings. View the IKE and IPsec policy settings.

      If the negotiation parameters in the IKE or IPsec policy at both ends are inconsistent, modify the corresponding policy.

      If the negotiation parameters in the IKE and IPsec policies at both ends are consistent, go to c.

   3. Check whether the PSKs at both ends are the same.

      The PSK cannot be checked on the VPN console. If you are not sure whether the PSK configured on the VPN console is correct, you are advised to change it to be the same as that configured on the customer gateway device.

      To change the PSK on the VPN console, choose Virtual Private Network > Enterprise – VPN Connections, locate the target VPN connection, and choose More > Reset PSK.

   4. If the policy-based mode is used, check whether the source and destination CIDR blocks in the policy rules at the two ends of the VPN connection are reversed.

      To check policy rules on the VPN console, choose Virtual Private Network > Enterprise – VPN Connections, locate the target VPN connection, and click Modify VPN Connection.

   5. If the static routing mode is used and the NQA function is enabled on the VPN console, check whether tunnel interface IP addresses are correctly configured on the customer gateway device.
      • To check whether NQA is enabled on the VPN console, choose Virtual Private Network > Enterprise – VPN Connections, click the name of the target VPN connection, and view the value of Link Detection on the Summary tab page.
      • To check the tunnel interface IP addresses configured on the VPN console, choose Virtual Private Network > Enterprise – VPN Connections, click Modify VPN Connection, and view the values of Local Interface IP Address and Customer Interface IP Address.

        The local and remote interface IP addresses configured on the customer gateway device must be the same as the values of Customer Interface IP Address and Local Interface IP Address configured on the VPN console, respectively.

   6. If the BGP routing mode is used, check whether the BGP ASNs at the two ends of the VPN connection are reversed.
      • To check the BGP ASN of the VPN gateway, choose Virtual Private Network > Enterprise – VPN Gateways, click the VPN gateway name, and view the BGP ASN in the Basic Information area.
      • To check the BGP ASN of the customer gateway, choose Virtual Private Network > Enterprise – Customer Gateways and view the value in the BGP ASN column.
3. Check the security group configuration on the Huawei Cloud management console and the ACL configuration on the customer gateway device.
   1. Check whether the default security group on the Huawei Cloud management console permits the ports corresponding to the public IP addresses of the customer gateway.
   2. To check the default security group on the Huawei Cloud management console, perform the following steps:
      1. Choose Virtual Private Network > Enterprise – VPN Gateways, and click the name of the VPC associated with the VPN gateway.
      2. On the Virtual Private Cloud page, click the number in the Route Tables column.
      3. On the Route Tables page, click the name of the route table.
      4. Locate and click the next hop of the active or standby EIP of the VPN gateway.
      5. On the Associated Security Groups tab page, check whether the security group permits traffic of the ports.
   3. Verify that an ACL on the customer gateway device permits the ports corresponding to the active and standby EIPs of the VPN gateway.
4. Check IPsec connection logs.
   1. Log in to the management console.
   2. Click in the upper left corner and select the desired region and project.
   3. Click in the upper left corner, and choose Networking > Virtual Private Network.
   4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Connections.
   5. On the VPN Connection page, locate the target VPN connection, and click View Logs to view connection logs.

      Check IPsec connection logs, and locate the fault based on the log keywords and error codes listed in Table 1.

      Table 1 Common causes of VPN disconnection

      Category	No.	Error Message	Description	Handling Procedure
      IPsec VPN negotiation failure	1	phase1 proposal mismatch	IKE proposal parameters on both ends do not match. This message is available only on the initiator of the tunnel.	Check IKE proposal parameters at both ends of the tunnel, and ensure that the parameters are consistent at both ends.
      	2	phase1 proposal encryption algorithm mismatch	The encryption algorithms in IKE proposals at both ends do not match. This message is available only on the responder of the tunnel.
      	3	phase1 proposal authentication method mismatch	The authentication methods in IKE proposals at both ends do not match. This message is available only on the responder of the tunnel.
      	4	phase1 proposal authentication algorithm mismatch	The authentication algorithms in IKE proposals at both ends do not match. This message is available only on the responder of the tunnel.
      	5	phase1 proposal dh mismatch	The DH groups in IKE proposals at both ends do not match. This message is available only on the responder of the tunnel.
      	6	phase1 proposal integrity algorithm mismatch	The integrity algorithms in IKE proposals at both ends do not match. This message is available only on the responder of the tunnel.
      	7	phase1 proposal prf mismatch	The PRF algorithms in IKE proposals at both ends do not match. This message is available only on the responder of the tunnel.
      	8	phase2 proposal or pfs mismatch	IPsec proposal parameters, PFS algorithms, or security ACLs on both ends do not match.	Check IPsec proposal parameters or PFS algorithms at both ends of the tunnel, and ensure that the parameters or algorithms are consistent at both ends.
      	9	responder dh mismatch	The DH algorithm of the responder does not match that of the initiator.	Check DH algorithms at both ends of the tunnel, and ensure that the algorithms are consistent at both ends.
      	10	initiator dh mismatch	The DH algorithm of the initiator does not match that of the responder.
      	11	encapsulation mode mismatch	Encapsulation modes on both ends do not match.	Contact technical support.
      	12	flow mismatch	Security ACLs on both sides do not match.	Contact technical support.
      	13	version mismatch	IKE versions on both ends do not match.	Contact technical support.
      	14	peer address mismatch	IKE peer addresses on both ends do not match.	Check the IP addresses of IKE peers at both ends, and ensure that the IP addresses match each other.
      	15	config ID mismatch	No IKE peer with the specified ID is found.	Contact technical support.
      	16	exchange mode mismatch	Negotiation modes on both ends do not match.	Check the IKE negotiation modes at both ends, and ensure that the negotiation modes are consistent at both ends.
      	17	authentication fail	The identity authentication fails.	Check IKE proposal parameters or IKE peer parameters at both ends of the tunnel, and ensure that the parameters are consistent at both ends.
      	18	construct local ID fail	A local ID fails to be constructed.	Contact technical support.
      	19	rekey no find old sa	The old SA fails to be found during renegotiation.	Contact technical support.
      	20	rekey fail	The old SA is going offline during renegotiation.	Contact technical support.
      	21	first packet limited	First packets are rate limited.	Contact technical support.
      	22	unsupported version	The IKE version is not supported.	Contact technical support.
      	23	malformed message	There is a malformed message.	Contact technical support.
      	24	malformed payload	There is a malformed payload.	Contact technical support.
      	25	malformed payload or psk mismatch	There are malformed payloads or the pre-shared keys at both ends are inconsistent.	Contact technical support.
      	26	critical drop	The critical payload is not recognized.	Contact technical support.
      	27	cookie mismatch	The cookies do not match.	Contact technical support.
      	28	invalid cookie	The cookie is invalid.	Contact technical support.
      	29	invalid length	The packet length is invalid.	Contact technical support.
      	30	unknown exchange type	The negotiation mode is unknown.	Contact technical support.
      	31	short packet	Packets are ultra-short.	Contact technical support.
      	32	uncritical drop	The non-critical payload is not identified.	Contact technical support.
      	33	route limit	The number of imported routes reaches the upper limit.	Replace the device with a device with higher route injection specifications, and properly plan the network.
      	34	ip assigned fail	IP address assignment fails.	Ensure that the AAA and IPsec configurations, such as the IP address pools, AAA service schemes, and IP addresses assigned to IKE users, are correct.
      	35	eap authentication timeout	EAP authentication times out.	Ensure that the client's user name and password as well as the user access configuration are correct.
      	36	eap authentication fail	EAP authentication fails.
      	37	xauth authentication fail	XAUTH authentication fails.
      	38	xauth authentication timeout	XAUTH authentication times out.
      	39	license or specification limited	There is license control.	Contact technical support.
      	40	local address mismatch	The local IP address and interface IP address in IKE negotiation do not match.	Check the local IP address and interface IP address used for IKE negotiation, and ensure that the addresses are consistent at both ends.
      	41	dynamic peers number reaches limitation	The number of IKE peers reaches the upper limit.	Contact technical support.
      	42	ipsec tunnel number reaches limitation	The number of IPsec tunnels reaches the upper limit.	Contact technical support.
      	43	netmask mismatch	The mask does not match the configured one after the IPsec mask filtering function is enabled.	Contact technical support.
      	44	flow confict	A data flow conflict exists.	Contact technical support.
      	45	proposal mismatch or use sm in ikev2	IPsec proposals on both ends do not match or IKEv2 uses an SM algorithm.	Check the algorithms used by IKEv2 in the IPsec proposals at both ends of the tunnel, and ensure that the algorithms are consistent at both ends.
      	46	ikev2 not support sm in ipsec proposal ikev2	IKEv2 does not support the SM algorithm used in the IPsec proposal.
      	47	no policy applied on interface	No policy is applied to an interface.	Contact technical support.
      	48	nat detection fail	NAT detection fails.	Contact technical support.
      	49	fragment packet limit	The number of fragments exceeds the upper limit.	Contact technical support.
      	50	fragment packet reassemble timeout	Fragment reassembly times out.	Ensure that the links at both ends are normal and the device status is normal.
      	51	peer cert is expired	The peer certificate has expired.	Contact technical support.
      	52	peer cert is revoked by CRL	The peer certificate is revoked.	Contact technical support.
      	53	sa with same user exists	The SA is the same as that of another user.	Contact technical support.
      	54	max transmit reached	The number of retransmitted packets reaches the maximum.	Contact technical support.
      IPsec VPN connection disconnection	1	dpd timeout	DPD detection times out.	Perform a ping operation to check link reachability. If the link is unreachable, verify the link and network configuration.
      	2	peer request	The peer device sends a message, asking the local device to tear down a tunnel.	Check log information of the peer end, and locate the cause of the IPsec tunnel fault.
      	3	config modify or manual offline	The SA is automatically deleted due to configuration modification, or is manually deleted.	Check whether an SA is reset manually. If so, no further action is required. Check whether the IPsec configuration modified on the local end is correct. If not, correct the IPsec configuration. Check whether the manual deletion of IPsec policies is appropriate. If not, reapply the IPsec policies to the interface.
      	4	phase1 hard expiry	In phase 1, hard timeout (no new SA negotiation succeeds) occurs.	Check whether the IKE SA lifetime is proper. If not, modify the IKE SA lifetime.
      	5	phase2 hard expiry	A hard timeout occurs in phase 2.	Check whether the IPsec SA lifetime is proper. If not, modify the IPsec SA lifetime.
      	6	heartbeat timeout	Heartbeat detection times out.	Contact technical support.
      	7	re-auth timeout	The SA is deleted because the re-authentication times out.	No action is required.
      	8	aaa cut user	The SA is deleted because the AAA module logs out the user.	No action is required.
      	9	ip address syn failed	IP addresses fail to be synchronized.	Ensure that the link is normal and the IPsec configurations are correct.
      	10	hard expiry triggered by port mismatch	Hard timeout occurs due to a NAT port number mismatch.	Contact technical support.
      	11	kick old sa with same flow	The old SA is deleted when the same flow is transmitted.	Contact technical support.
      	12	cpu table updated	When an SPU is removed and inserted, the SAs of CPUs other than the one on the SPU are deleted.	No action is required.
      	13	flow overlap	The IP address in the encrypted data flow conflicts with the peer IP address.	Check the security ACL configurations at both ends, and modify the conflicting ACL rules for traffic flows.
      	14	spi conflict	An SPI conflict occurs.	No action is required.
      	15	admin down	The VPN tunnel status is admin down.	Contact technical support.
      	16	peer address switch	The peer address is changed.	Contact technical support.
      	17	forward down	The fwd group goes down.	Contact technical support.
      	18	sa with same user exists	The SA is the same as that of another user.	Contact technical support.
      	19	reset sa by ike user	A user resets the SA.	Contact technical support.
      	20	phase1 sa replace	A new IKE SA replaces the old one.	No action is required.
      	21	phase2 sa replace	A new IPsec SA replaces the old one.	No action is required.
      	22	manual offline	The connection is manually torn down.	Contact technical support.
      	23	nhrp notify	The NHRP module notifies the device of SA deletion.	No action is required.
      	24	receive backup delete info	The standby device receives an SA backup deletion message from the active device.	No action is required.
      	25	eap delete old sa	When the peer device performs EAP authentication repeatedly, the local device deletes the old SA.	No action is required.
      	26	receive invalid spi notify	The device receives an invalid SPI notification.	If the notification is frequently received, check whether the status and configurations of the peer device are abnormal.
      	27	dns resolution status change	The DNS resolution status is changed.	Ensure that the DNS server is working properly. Ensure that the configured domain name is correct. If the fault persists, contact technical support.
      	28	ikev1 phase1-phase2 sa dependent offline	The device deletes the associated IPsec SA when deleting an IKEv1 SA.	Contact technical support.
      	29	exchange timeout	Packet exchange times out.	Ensure that the link is normal and the IPsec configurations are correct.
      	30	hash gene adjusted	The hash factor is adjusted, causing the IPsec tunnel to be deleted.	Contact technical support.
      	31	ipsec tunnel recover	The tunnel is automatically recovered and re-established through a self-healing mechanism.	No action is required.
      	32	hash except	The IPsec tunnel is deleted because the hash algorithm is adjusted.	Contact technical support.

If the fault persists after you verify the preceding configurations, contact Huawei engineers by submitting a service ticket.