VPN Connect Troubleshooting

This topic covers troubleshooting techniques for an IPSec VPN that has issues.

Some of the troubleshooting techniques assume that you are a network engineer with access to your CPE device's configuration.

General Issues

IPSec tunnel is DOWN

Check these items:

IPSec tunnel is UP, but no traffic is passing through

Check these items:

  • Phase 2 (IPSec) configuration: Confirm that the phase 2 (IPSec) parameters are configured correctly on your CPE device. See the configuration appropriate for your CPE device:

  • VCN security lists: Ensure you've set up the VCN security lists to allow the desired traffic (both ingress and egress rules). Note that the VCN's default security list does not allow ping traffic (ICMP type 8 and ICMP type 0). You must add the appropriate ingress and egress rules to allow ping traffic.
  • Firewall rules: Ensure that your firewall rules allow both ingress and egress traffic with the Oracle VPN headend IPs and the VCN CIDR block.
  • Asymmetric routing: Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.
  • Cisco ASA: Do not use the originate-only option with an Oracle IPSec VPN tunnel. It causes the tunnel's traffic to be inconsistently blackholed. The command is only for tunnels between two Cisco devices. Here's an example of the command that you should NOT use for the Oracle IPSec VPN tunnels: crypto map <map name> <sequence number> set connection-type originate-only
IPSec tunnel is UP, but traffic is passing in only one direction

Check these items:

  • Asymmetric routing: Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.
  • Single tunnel preferred: If you want to use only one of the tunnels, ensure that you have the proper policy or routing in place on the CPE to prefer that tunnel.
  • Multiple IPSec connections: If you have multiple IPSec connections with Oracle, make sure to specify more specific static routes for the preferred IPSec connection.
  • VCN security lists: Ensure that your VCN security lists allow traffic in both directions (ingress and egress).
  • Firewall rules: Ensure that your firewall rules allow traffic in both directions with the Oracle VPN headend IPs and the VCN CIDR block.

For an IPSec VPN with a Policy-Based Configuration

IPSec tunnel is DOWN

Check these items:

  • Basic configuration: The IPSec tunnel consists of both phase-1 (ISAKMP) and phase-2 (IPSec) configuration. Confirm that both are configured correctly on your CPE device. See the configuration appropriate for your CPE device:

  • Local and remote proxy IDs: If you're using a policy-based configuration, check if your CPE is configured with more than one pair of local and remote proxy IDs (subnets). The Oracle VPN router supports only one pair. If your CPE has more than one pair, update the configuration to include only one pair, and choose one of the following two options:
    Option Local Proxy ID Remote Proxy ID
    1 ANY (or 0.0.0.0/0) ANY (or 0.0.0.0/0)
    2 On-premises CIDR (an aggregate that covers all the subnets of interest) VCN's CIDR
  • NAT device: If the CPE is behind a NAT device, the CPE IKE identifier configured on your CPE might not match the CPE IKE identifier Oracle is using (the public IP address of your CPE). If your CPE does not support setting the CPE IKE identifier on your end, you can provide Oracle with your CPE IKE identifier in the Oracle Console. For more information, see Overview of the IPSec VPN Components.
  • Cisco ASA: Do not use the originate-only option with an Oracle IPSec VPN tunnel. It causes the tunnel's traffic to be inconsistently blackholed. The command is only for tunnels between two Cisco devices. Here's an example of the command that you should NOT use for the Oracle IPSec VPN tunnels: crypto map <map name> <sequence number> set connection-type originate-only
IPSec tunnel is UP but keeps flapping

Check these items:

  • Initiation of connection: Ensure that your CPE device is initiating the connection.
  • Local and remote proxy IDs: If you're using a policy-based configuration, check if your CPE is configured with more than one pair of local and remote proxy IDs (subnets). The Oracle VPN router supports only one pair. If your CPE has more than one pair, update the configuration to include only one pair, and choose one of the following two options:
    Option Local Proxy ID Remote Proxy ID
    1 ANY (or 0.0.0.0/0) ANY (or 0.0.0.0/0)
    2 On-premises CIDR (an aggregate that covers all the subnets of interest) VCN's CIDR
  • Interesting traffic at all times: In general, Oracle recommends having interesting traffic running through the IPSec tunnels at all times if your CPE supports it.Certain Cisco ASA versions require the SLA monitor to be configured, which keeps interesting traffic running through the IPSec tunnels. For more information, see the section for "IP SLA Configuration" in the Cisco ASA policy-based configuration template.
IPSec tunnel is UP but traffic is unsteady

Check these items:

  • Local and remote proxy IDs: If you're using a policy-based configuration, check if your CPE is configured with more than one pair of local and remote proxy IDs (subnets). The Oracle VPN router supports only one pair. If your CPE has more than one pair, update the configuration to include only one pair, and choose one of the following two options:
    Option Local Proxy ID Remote Proxy ID
    1 ANY (or 0.0.0.0/0) ANY (or 0.0.0.0/0)
    2 On-premises CIDR (an aggregate that covers all the subnets of interest) VCN's CIDR
  • Interesting traffic at all times: In general, Oracle recommends having interesting traffic running through the IPSec tunnels at all times if your CPE supports it.Certain Cisco ASA versions require the SLA monitor to be configured, which keeps interesting traffic running through the IPSec tunnels. For more information, see the section for "IP SLA Configuration" in the Cisco ASA policy-based configuration template.

BGP Session Troubleshooting

BGP status is DOWN

Check these items:

  • IPSec status: For the BGP session to be up, the IPSec tunnel itself must be up.
  • BGP address: Verify that both ends of the tunnel are configured with the correct BGP peering IP address.
  • ASN: Verify that both ends of the tunnel are configured with the correct BGP local ASN and Oracle BGP ASN. Oracle's BGP ASN for the commercial cloud is 31898. For the Government Cloud, see Oracle's BGP ASN.
  • MD5: Verify that MD5 authentication is disabled or not configured on your CPE device. The Oracle IPSec VPN does not support MD5 authentication.
  • Firewalls: Verify that your on-premises firewall or access control lists are not blocking the following ports:

    • TCP port 179 (BGP)
    • UDP port 500 (IKE)
    • IP protocol port 50 (ESP)

    If your CPE device's firewall is blocking TCP port 179 (BGP), the BGP neighborship state will always be down. Traffic cannot flow through the tunnel because the CPE device and Oracle router do not have any routes.

BGP status is flapping

Check these items:

  • IPSec status: For the BGP session to be up and not flapping, the IPSec tunnel itself must be up and not flapping.
  • Maximum prefixes: Verify that you are advertising no more than 2000 prefixes. If you're advertising more, BGP won't be established.
BGP status is UP, but no traffic is passing through

Check these items:

  • VCN security lists: Ensure you've set up the VCN security lists to allow the desired traffic (both ingress and egress rules). Note that the VCN's default security list does not allow ping traffic (ICMP type 8 and ICMP type 0). You must add the appropriate ingress and egress rules to allow ping traffic.
  • Correct routes on both ends: Verify that you have received the correct VCN routes from Oracle and the CPE device is using those routes. Likewise, verify that you are advertising the correct on-premises network routes over the IPSec VPN, and the VCN route tables use those routes.
BGP status is UP, but traffic is passing in only one direction

Check these items:

  • VCN security lists: Ensure that your VCN security lists allow traffic in both directions (ingress and egress).
  • Firewalls: Verify that your on-premises firewall or access control lists are not blocking traffic to or from the Oracle end.
  • Asymmetric routing: Oracle uses asymmetric routing. If you have multiple IPSec connections, ensure that your CPE device is configured for asymmetric route processing.
  • Redundant connections: If you have redundant IPSec connections, ensure that they're both advertising the same routes.

Redundant Connections

Remember these important notes:

  • FastConnect uses BGP dynamic routing. IPSec connections can use either static routing or BGP, or a combination.
  • For important details about routing and preferred routes when using redundant connections, see Routing for the Oracle IPSec VPN.
  • You can use two IPSec connections for redundancy. If both IPSec connections have only a default route (0.0.0.0/0) configured, traffic will route to either of those connections because Oracle uses asymmetric routing. If you want one IPSec connection as primary and another one as backup, configure more-specific routes for the primary connection and less-specific routes (or the default route of 0.0.0.0/0) on the backup connection.
IPSec and FastConnect are both set up, but traffic is only passing through IPSec

Ensure that you use more specific routes for the connection you want as primary. If you're using the same routes for both IPSec and FastConnect, see the discussion of routing preferences in Routing for the Oracle IPSec VPN.

Two on-premises data centers each have an IPSec connection to Oracle, but only one is passing traffic

Verify that both IPSec connections are up and ensure that you have asymmetric route processing enabled on the CPE.

If both IPSec connections have only a default route (0.0.0.0/0) configured, traffic will route to either of those connections because Oracle uses asymmetric routing. If you want one IPSec connection as primary and another one as backup, configure more-specific routes for the primary connection and less-specific routes (or the default route of 0.0.0.0/0) on the backup connection.

For more information about this type of setup, see Example Layout with Multiple Geographic Areas.