1. Setting Up VPN from a Third-Party Gateway On-Premises to the Shared Network
  2. Troubleshooting
  3. Partner VPN Device Problems

Partner VPN Device Problems

This section describes common problems that you might encounter while connecting the cloud gateway with the partner device.

When there are issues setting up the connection to the partner device, alarms are created in App Net Manager. See Working with Alarms and Events in Oracle Corente Cloud Services Exchange Administration Guide.

Could Not Fit Range from Partner

Description

When the tunnel is not set up between the CSG gateway and the partner gateway, the following message is displayed as an active tunnel alarm in App Net Manager.

Gateway [identity-domain.name-of-CSG-gateway] could not fit range [remote acl range 10.0.0.0–10/63.255.255] from Partner [name-of-partner-device] because it is nested within committed range [local LAN range 10.18.7.112–10.18.7.115] from Gateway/Partner [identity-domain.name-of-CSG-gateway]. Consequently, the secure subnet tunnel between the two Partners has not been brought up. Please check the partners’ NAT policies and User Groups.

Solution

This error indicates that the subnets provided in 10.18.x.x range are already nested in 10.0.0.x.

To resolve this issue, remove the 10.0.0.0 subnet.

IPsec Phase1 Failure Brings Down Tunnel

Description

The following error message is displayed under the Alarms section in the App Net Manager. 

The secure tunnel between [identity-domain.name-of-CSG-gateway] and [name-of-partner-device] is DOWN. (IPsec Phase1 ISAKMP SA Failed).

Solution

This error indicates that there is IPsec Phase 1 failure and the connection between the cloud gateway and the partner device could not be set up. Such failures usually occur if you have provided incorrect information, such as incorrect WAN IP Address or Visible IP Address while registering the third-party VPN device. See Registering a Third-Party VPN Device. Such failures can also occur if you have provided incorrect pre-shared key (PSK) as the Shared Secret. See Connecting the Cloud Gateway with the Third-Party Device.

To resolve this error, ensure that the information you have provided is correct. For information about updating a third-party VPN device, see Updating a Third-Party Device. For information about updating the PSK, see Updating a VPN Connection.

IPsec Phase2 Failure Brings Down Tunnel

Description

When you add another subnet, the VPN tunnel (which was established previously) fails and the following error message is displayed under the Alarms section in the App Net Manager. 

The secure tunnel between [identity-domain.name-of-CSG-gateway] and [name-of-partner-device] is DOWN.
detail
[IPsec Phase2 Failed
192.128.0.0/16-10.50.0.0/16:UP
10.0.0.0/16-10.50.0.0/16:DOWN]

Solution

This error indicates that the IP addresses announced by Corente doesn’t match with the IP addresses accepted or published by the partner device. In this example, the partner device is not configured to receive traffic from 10.0.0.0/16 subnet.

Add the new subnet to the firewall of the partner device.