IBM Cloud Docs

Diagnosing VPN server health

Diagnosing VPN server health

Identifies the health of VPN servers, provides reasons for failure, and suggests solutions for recovery.

VPN server health diagnostics
Code	Message	Information
`cannot_access_client_certificate`	`VPN server's client certificate is inaccessible (verify certificate exists and that IAM policies grant VPN server for VPC access to Secrets Manager).`	This issue occurs if you delete the Secrets Manager instance, delete the client certificate, or remove service authorization to Secrets Manager after you create a VPN server with the client certificate. Verify that the certificate exists and its IAM policy grants permission. For more information, see Creating an IAM service-to-service authorization.
`cannot_access_server_certificate`	`VPN server's server certificate is inaccessible (verify certificate exists and that IAM policies grant VPN server for VPC access to Secrets Manager).`	This issue occurs if you delete the Secrets Manager instance, delete the server certificate, or remove service authorization to Secrets Manager after you create a VPN server with the server certificate. Verify that the certificate exists and its IAM policy grants permission. For more information, see Creating an IAM service-to-service authorization.
`cannot_create_vpc_route`	`VPN cannot create route (check for conflict and over_quota).`	This issue is commonly caused by a stale route in the routing table. This error occurs if a route exists with the destination in the subrange of the VPN server's IP pools, but the creator is not the VPN server. For example, you encounter this issue if the VPN server's client IPv4 address pool is `192.168.0.0/16`, a route exists with destination `192.168.0.0/17` in the VPC routing table, and the route creator is not the VPN server. To resolve this issue, delete the conflicting VPC route. Keep in mind that there are a maximum of 15 advertised routes in a VPC. If `over_quota` occurs, the VPN server fails with this reason code while creating an advertised route. To resolve this issue, delete any unnecessary advertised routes by switching the `Advertise to` option to `Off` in the routing table.
`cannot_reserve_ip_address`	`IP address exhaustion (release addresses on the VPN's subnet).`	This issue commonly occurs if an IP address isn't available on the VPN server's subnet. Release associated resources, such as instances, load balancers, or VPN servers on the subnet.
`internal_error`	`Internal error (contact IBM support).`	Contact IBM Support to analyze and resolve internal errors.

Diagnosing VPN server route health

Identifies the health of VPN server routes, provides reasons for failure, and suggests solutions for recovery.

VPN server route health
Code	Message	Information
`internal_error`	`Internal error. Contact IBM Support.`	Contact IBM Support to analyze and resolve internal errors.