Troubleshooting VPN issues

Contents

VPN test failures

The Skytap Cloud VPN Test tool uses a multi-phase test process. If you have multiple test failures, troubleshoot them in the order listed below.

If this stage fails…

It means…

Try this…

Phase 1

The IP addresses are incorrect, or one or more of the Phase 1 parameters listed on the Skytap Cloud VPN details page do not match the VPN device you are connecting to.

Verify the IP addresses and the parameters for the VPN device.

Phase 2

The VPN was unable to establish a VPN tunnel to the test subnet. Phase 2 parameters do not match the VPN device you are connecting to.

Verify the parameters for the VPN device.

Ping Remote Address

The VPN was able to negotiate the tunnel, but was unable to receive a response to the ping test. The remote target is unable to respond due to a firewall within the guest operating system or there is a routing failure on the remote side.

Verify that the remote target has no routing failures or blocking firewall rules. Check if the VPN is configured to block ICMP ping connections.

Connect To Remote Port

The VPN tunnel was successfully created and pinged, but the specific port did not respond.

Verify that the port is open and that no firewall rules block this connection.

Tips

  • You can also review the logs from your VPN device for more details. Your device should provide meaningful logging for why the connection from the Skytap Cloud VPN endpoint was refused (or if the request to initiate a connection was received at all).
  • For a copy of the corresponding logs from the Skytap Cloud VPN endpoint, contact Skytap Support (support@skytap.com).

For more information, see Creating a VPN connection to your Skytap Cloud account.

Connectivity issues

If your VPN connection occasionally drops, try the following troubleshooting steps:

  • Review your SA key lifetimes to make sure they match.
  • Confirm Phase 1 DPD is enabled on both endpoints or disabled on both endpoints; the endpoints must match. We recommend enabling Phase 1 DPD on both endpoints.

    Skytap Cloud does not support third-party Phase 2 DPD; if your corporate endpoint uses Phase 2 DPD, we recommend that you disable it.

  • Confirm that the Skytap Cloud SA policy level matches your VPN endpoint.
  • Review the logs on your VPN device for additional information. You can also contact Skytap Support (support@skytap.com) for a copy of the corresponding VPN logs from Skytap Cloud.

Poor performance

If you experience poor performance over an active VPN tunnel, try the following troubleshooting steps:

  • Test your bandwidth to make sure you have a good connection to the region your VM resides in. See Testing bandwidth and latency with Speedtest.
  • If you suspect you are observing file fragmentation, set a maximum segment size (MSS) between 1300-1400 on both VPN endpoints.
  • Perform basic network tests over the VPN to identify issues over the public Internet or with your ISP. For more information, see Troubleshooting network performance issues. You can also review your packet captures.

Inconsistent performance over different subnets

If you can pass traffic over one subnet but not all subnets, this may be caused by an unmatched SA policy level.