Google Cloud VPN connection degradation

Solution 1:

As per the logs you shared, It looks like Cloud VPN has accepted 1 proposal.

To locate the issue, you can follow the below steps:

  1. Check for logs if the VPN has the warning 'The peer gateway notifies: Proposal mismatch in CHILD SA (phase 2)’.

  2. If you are getting this warning,then the next step would be to check the peer logs with keywords 'NO_PROPOSAL_CHOSEN'.

If you are getting 'NO_PROPOSAL_CHOSEN' in the logs, it means Cloud VPN and your peer VPN gateway are unable to agree on a set of ciphers. For IKEv1, the set of ciphers must match exactly. Make sure that you use supported ciphers to configure your peer VPN gateway. Refer to the supported IKE ciphers document [1] to know more about it.

Also note that, by default, Cloud VPN negotiates a replacement security association (SA) before the existing one expires (also known as rekeying). Your peer VPN gateway might not be rekeying. Instead, it might negotiate a new SA only after deleting the existing SA, causing interruptions [2]. If the connection drops and then re-establishes right after a ‘Received SA_DELETE’ log message, your on-premises gateway didn't rekey.

[1] : https://cloud.google.com/network-connectivity/docs/vpn/concepts/supported-ike-ciphers

[2] : https://cloud.google.com/network-connectivity/docs/vpn/support/troubleshooting#tunnel_regularly_goes_down_for_a_few_seconds