Troubleshoot Anypoint VPN

logo cloud active logo hybrid disabled logo server disabled logo rtf disabled

These are some of the possible errors you may encounter when attempting to connect Anypoint VPN.

Unable to Connect to the Anypoint VPN

If you are unable to connect to the Anypoint VPN, ensure any firewalls that are configured are allowing traffic through the IP addresses in the localExternalIpAddress field in the VPN tunnels.

NO_PROPOSAL_CHOSEN Error or Cannot Establish Phase 1 Connection

This is likely due to a problem with your Phase 1 configuration. Anypoint VPN connections support only IKEv1, meaning IKEv2 doesn’t work.

Phase 1 Diffie-Hellman (DH) groups that are supported include 2, 14-18, 22, 23, and 24.

Cannot Establish a Phase 2 Connection

It is possible that your Phase 2 DH group is not supported. Phase 2 DH groups that are supported include 2, 5, 14-18, 22, 23, and 24.

Routes are Not Present in the VPC Route Table

The VPC route table is not updated until the tunnels are active. When using static routing, the remote networks are added to the route table when the tunnel is active, and removed when the tunnel is inactive. This is the expected behavior. When using BGP routing, the routes are propagated from your VPN endpoint when the tunnel is active. If the route table does not show the required entries, ensure that the BGP session is active and validate the BGP configuration on your device.

Anypoint VPN Tunnel Connection Works, but Routes are not Propagated

Ensure that the neighbor IP address for the tunnel is taken from the Local point-to-point IP address in the tunnelโ€™s details.

Phase 2 SA Established, but Traffic not Passing Through Tunnel

The VPN connection supports only one security association (SA) pair per tunnel, so any more than one traffic selector per connection will cause unexpected results.

To solve this, ensure that only one unique SA is used per VPN tunnel connection. If more than one policy is needed, you must consolidate and filter traffic in your network.

Anypoint VPN Tunnel Disconnects After Period of Inactivity

IPsec is established by sending "interesting traffic" (traffic that should be encrypted over the Anypoint VPN connection). If there is no interesting traffic, the tunnel disconnects. This is the expected behavior, and the timeout value might vary.

Some VPN configurations require additional steps to keep the tunnel active, which means you need to ensure you periodically send interesting traffic. For example, sending ICMP requests every 5 seconds to a CloudHub worker’s internal IP address or FQDN will keep the tunnel active.

Tunnel Status in the Runtime Manager UI Shows the Wrong Value

Because the time to retrieve the tunnel status includes the inherent delay in the infrastructure-provider API, you can expect delays of up to five minutes when reporting the correct status. Do not use this information to trigger a failover between the tunnels. Instead, monitor tunnels at the customer-side VPN gateway.

Was this article helpful?

๐Ÿ’™ Thanks for your feedback!

Edit on GitHub
Submit your feedback!
Share your thoughts to help us build the best documentation experience for you!
Take our latest survey!