Google Cloud VPN connection degradation

google-cloud-vpn

Solution 1:

As per the logs you shared, It looks like Cloud VPN has accepted 1 proposal.

To locate the issue, you can follow the below steps:

  1. Check for logs if the VPN has the warning 'The peer gateway notifies: Proposal mismatch in CHILD SA (phase 2)’.

  2. If you are getting this warning,then the next step would be to check the peer logs with keywords 'NO_PROPOSAL_CHOSEN'.

If you are getting 'NO_PROPOSAL_CHOSEN' in the logs, it means Cloud VPN and your peer VPN gateway are unable to agree on a set of ciphers. For IKEv1, the set of ciphers must match exactly. Make sure that you use supported ciphers to configure your peer VPN gateway. Refer to the supported IKE ciphers document [1] to know more about it.

Also note that, by default, Cloud VPN negotiates a replacement security association (SA) before the existing one expires (also known as rekeying). Your peer VPN gateway might not be rekeying. Instead, it might negotiate a new SA only after deleting the existing SA, causing interruptions [2]. If the connection drops and then re-establishes right after a ‘Received SA_DELETE’ log message, your on-premises gateway didn't rekey.

[1] : https://cloud.google.com/network-connectivity/docs/vpn/concepts/supported-ike-ciphers

[2] : https://cloud.google.com/network-connectivity/docs/vpn/support/troubleshooting#tunnel_regularly_goes_down_for_a_few_seconds

Related

Access SMB over a custom port
Can I short circuit DNS round robin in a browser?
Error while waiting for device: Time out after 300seconds waiting for emulator to come online
No handlers could be found for logger
How to null check c# 7 tuple in LINQ query?
Resolving a relative url path to its absolute path
An inverse Fibonacci algorithm?
Payloads of HTTP Request Methods
How to strip a specific word from a string?
How to save an image in Android Q using MediaStore?
Thread safe collections in .NET
Is there any way to make Visual Studio stop indenting namespaces?