Troubleshooting VPN test failures
Contents
VPN test failures
The Skytap VPN Test tool uses a multi-phase test process. If you have multiple test failures, troubleshoot them in the order listed below.
If this stage fails… | It means… | Try this… |
---|---|---|
Phase 1 | The IP addresses are incorrect, or one or more of the Phase 1 parameters listed on the Skytap VPN details page don’t match the VPN device you’re connecting to. | Verify the IP addresses and the parameters for the VPN device. |
Phase 2 | The VPN was unable to establish a VPN tunnel to the test subnet. Phase 2 parameters don’t match the VPN device you’re connecting to. | Verify the parameters for the VPN device. |
Ping Remote Address | The VPN was able to negotiate the tunnel, but was unable to receive a response to the ping test. The remote target is unable to respond due to a firewall within the guest operating system or there is a routing failure on the remote side. | Verify that the remote target has no routing failures or blocking firewall rules. Check if the VPN is configured to block ICMP ping connections. |
Connect To Remote Port | The VPN tunnel was successfully created and pinged, but the specific port did not respond. | Verify that the port is open and that no firewall rules block this connection. |
Tips
- You can also review the logs from your VPN device for more details. Your device should provide meaningful logging for why the connection from the Skytap VPN endpoint was refused (or if the request to initiate a connection was received at all).
- For a copy of the corresponding logs from the Skytap VPN endpoint, contact support@skytap.com.
For more information, see Creating a VPN connection to your Skytap account.
Connectivity issues
If there is no active VPN connection at all:
- Make sure the Skytap VPN is attached to a Skytap environment network.
- Make sure the attached Skytap environment has at least one running VM.
If your VPN connection occasionally drops, try the following troubleshooting steps:
- Review your SA key lifetimes to make sure they match.
-
Confirm Phase 1 DPD is enabled on both endpoints or disabled on both endpoints; the endpoints must match. We recommend enabling Phase 1 DPD on both endpoints.
Skytap doesn’t support third-party Phase 2 DPD; if your corporate endpoint uses Phase 2 DPD, we recommend that you disable it.
- Confirm that the Skytap SA policy level matches your VPN endpoint.
- Review the logs on your VPN device for additional information. You can also contact Skytap Support (support@skytap.com) for a copy of the corresponding VPN logs from Skytap.
Poor performance
If you experience poor performance over an active VPN tunnel, try the following troubleshooting steps:
- Test your bandwidth to make sure you have a good connection to the region your VM resides in. See Testing bandwidth and latency with Speedtest.
- If you suspect you’re observing file fragmentation, set a maximum segment size (MSS) between 1300-1400 on both VPN endpoints.
- Perform basic network tests over the VPN to identify issues over the public Internet or with your ISP. For more information, see Troubleshooting network performance issues. You can also review your packet captures.
Inconsistent performance over different subnets
If you can pass traffic over one subnet but not all subnets, this may be caused by an unmatched SA policy level.