Check VPN status

After you configure your peer VPN gateways, check the following components toensure that they are communicating correctly with Cloud VPN:

  • Check the status of the HA VPN or Classic VPNtunnels that you configured, including the operational state.
  • Check the high availability status of tunnels on anHA VPN gateway.
  • View the status of Cloud Router Border Gateway Protocol (BGP) sessions orthe routes that Cloud Router is advertising.

For more information about Cloud VPN, see the following resources:

Check HA VPN tunnels

Use this procedure to check the status of tunnels on both interfaces ofan HA VPN gateway.

Caution: When using HA VPN, you should alsocheck thehigh-availability status of tunnels on your VPN gateway toensure that you are receiving the 99.99% availability SLA.

Console

  1. In the Google Cloud console, go to theVPN page.

    Go to VPN

  2. View theVPN tunnel status and theBGPsession status.

  3. To view tunnel details, click theName of a tunnel.

  4. UnderLogs, clickView for Cloud Logging logs.

  5. You can also modify the BGP session associated with this tunnel.

gcloud

There are two steps to viewing tunnel status. First, identify the tunnelname and region, and then use thedescribe command option to view tunneldetails.

In the following commands, replace the following:

  • PROJECT_ID: the ID of your project
  • GW_NAME: the name of the gateway
  • REGION: the region where the gateway or tunnel resides
  • NAME: the name of the tunnel

To view tunnel status, complete the following steps:

  1. Identify the name and region of the VPN tunnel whose status youneed to check. You can identify the tunnel by using either of thefollowing methods:

    1. Option 1: To listall VPN tunnels in your project, run thefollowing command:

      gcloud compute vpn-tunnels list  --project=PROJECT_ID

      The command output should look similar to the following example:

      NAME                REGION       GATEWAY      VPN_INTERFACE  PEER_ADDRESStunnel-a-to-b-if-0  us-central1  ha-vpn-gw-a  0              10.242.123.165tunnel-a-to-b-if-1  us-central1  ha-vpn-gw-a  1              10.220.75.213tunnel-b-to-a-if-0  us-central1  ha-vpn-gw-b  0              10.242.127.148tunnel-b-to-a-if-1  us-central1  ha-vpn-gw-b  1              10.220.66.156

    2. Option 2: If you know the name of the VPN gateway that containsthe tunnel, to retrieve the list of the gateway's associatedtunnels, run the following command:

      gcloud compute vpn-gateways describeGW_NAME \  --region=REGION \  --project=PROJECT_ID \  --format='flattened(tunnels)'

  2. After you know the name and region of the tunnel, use thedescribeoption of thevpn-tunnels command to determine the tunnel's status:

    gcloud compute vpn-tunnels describeNAME \   --region=REGION \   --project=PROJECT_ID \   --format='flattened(status,detailedStatus)'

    The basic status message and a more detailed message are returned.The command output should look similar to the following example.For a full listing, omit the--format option.

    detailedStatus: Tunnel is up and running.

    The following four command output examples show a full listing for a pairof tunnels on each of two HA VPN gateways that areconnected to each other. That is, onha-vpn-gw-a, the tunnels oninterface 0 andinterface 1 are connected to tunnels on thecorresponding interfaces ofha-vpn-gw-b.

    Example 1:tunnel-a-to-b-if-0

     creationTimestamp: '2018-10-11T13:12:33.851-07:00' description: '' detailedStatus: Tunnel is up and running. id: '2919847494518181982' ikeVersion: 2 kind: compute#vpnTunnel labelFingerprint:LABEL_FINGERPRINT localTrafficSelector: — 0.0.0.0/0 name: tunnel-a-to-b-if-0 peerIp: GW_A_IF_0_IP region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 remoteTrafficSelector: — 0.0.0.0/0 router: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0 sharedSecret: '*************' sharedSecretHash:SECRET_HASH vpnGateway: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a vpnGatewayInterface: 0

    Example 2:tunnel-a-to-b-if-1

     creationTimestamp: '2018-10-11T13:14:21.630-07:00' description: '' detailedStatus: Tunnel is up and running. id: '178016642781024754' ikeVersion: 2 kind: compute#vpnTunnel labelFingerprint:LABEL_FINGERPRINT localTrafficSelector: —0.0.0.0/0 name: tunnel-a-to-b-if-1 peerIp: GW_B_IF_1_IP region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 remoteTrafficSelector: — 0.0.0.0/0 router: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1 sharedSecret: '*************' sharedSecretHash:SECRET_HASH vpnGateway: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a vpnGatewayInterface: 1

    Example 3:tunnel-b-to-a-if-0

     creationTimestamp: '2018-10-11T13:16:19.345-07:00' description: '' detailedStatus: Tunnel is up and running. id: '1183416925692236156' ikeVersion: 2 kind: compute#vpnTunnel labelFingerprint:LABEL_FINGERPRINT localTrafficSelector: — 0.0.0.0/0 name: tunnel-b-to-a-if-0 peerIp: GW_A_IF_0_IP region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 remoteTrafficSelector: — 0.0.0.0/0 router: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0 sharedSecret: '*************' sharedSecretHash:SECRET_HASH vpnGateway: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-b vpnGatewayInterface: 0

    Example 4:tunnel-b-to-a-if-1

     creationTimestamp: '2018-10-11T13:19:01.562-07:00' description: '' detailedStatus: Tunnel is up and running. id: '8199247227773914842' ikeVersion: 2 kind: compute#vpnTunnel labelFingerprint:LABEL_FINGERPRINT localTrafficSelector: — 0.0.0.0/0 name: tunnel-b-to-a-if-1 peerIp: GW_A_IF_1_IP region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 remoteTrafficSelector: — 0.0.0.0/0 router: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1 sharedSecret: '*************' sharedSecretHash:SECRET_HASH vpnGateway: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-b vpnGatewayInterface: 1

API

To view tunnel details, you can use either of the following API calls:

  • To list the attributes and status of all VPN tunnels in a specificproject and region, make a GET request by using thevpnTunnels.listmethod:

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels

  • To list the attributes and status of a specific tunnel in a specificproject and region, make a GET request by using thevpnTunnels.get method:

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels/TUNNEL_NAME

Check Classic VPN tunnels

Use this procedure to check the status of tunnels on aClassic VPN gateway.

Console

  1. In the Google Cloud console, go to theVPN page.

    Go to VPN

  2. View theVPN tunnel statusand theBGP sessionstatus.

  3. To view tunnel details, click theName of a tunnel.

  4. UnderLogs, clickView for Logging logs.

  5. You can also modify the BGP session associated with this tunnel.

gcloud

The procedure for checking Classic VPN tunnel status issimilar to the one for HA VPN.

In the following commands, replace the following:

  • PROJECT_ID: the ID of your project
  • GW_NAME: the name of the gateway
  • REGION: the region where the gateway or tunnel resides
  • NAME: the name of the tunnel

To view tunnel status, complete the following steps:

  1. Identify the name and region of the VPN tunnel whose status youneed to check. You can identify the tunnel by using either of thefollowing methods:

    1. Option 1: To listall VPN tunnels in your project, run thefollowing command:

      gcloud compute vpn-tunnels list  --project=PROJECT_ID

    2. Option 2: If you know the name of the VPN gateway that containsthe tunnel, to retrieve the list of the gateway's associated tunnels,run the following command:

      gcloud compute target-vpn-gateways describeGW_NAME \  --region=REGION \  --project=PROJECT_ID \  --format='flattened(tunnels)'

  2. Describe the tunnel to determine its status by running the followingcommand. The basic status message and a more detailed message are returned.For a full listing, omit the--format option.

    gcloud compute vpn-tunnels describeNAME \    --region=REGION \    --project=PROJECT_ID \    --format='flattened(status,detailedStatus)'

API

To view tunnel details, you can use either of the following API calls:

  • To list the attributes and status of all VPN tunnels in a specificproject and region, make a GET request by using thevpnTunnels.listmethod:

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels

  • To list the attributes and status of a specific tunnel in a specificproject and region, make a GET request by using thevpnTunnels.get method:

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels/TUNNEL_NAME

Check Classic VPN forwarding rules

Use this procedure to check the forwarding rules that you created for yourClassic VPN gateway.

Console

  1. In the Google Cloud console, go to theVPN page.

    Go to VPN

  2. Click aGateway name.

  3. On theVPN details page, view the forwarding rules that you created.

gcloud

To view the forwarding rules for a Classic VPN gatewayin a specific region, run the following command:

gcloud compute target-vpn-gateways describeGW_NAME    --region=REGION \    --project=PROJECT_ID

API

To view the forwarding rules for a Classic VPN gateway in aspecific region, use thetargetVpnGateways.getmethod. ReplaceRESOURCE_ID with the name of the gateway.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetVpnGateways/RESOURCE_ID

Interpret tunnel status messages

To interpret tunnel status messages from the Google Cloud console or theGoogle Cloud CLI, use the following table.

StatusDetailed status messageNotes
Allocating resourcesAllocating resources. VPN tunnel will start soon.The initial state for a newly created Cloud VPN tunnel.
Waiting for full configWaiting for route configuration.Routes or routing configuration is being prepared.
First HandshakeHandshake with peer broken for unknown reason. Trying again soon.Phase 1 (IKE SA) negotiation with the peer VPN is in progress. It might have failed at least once.
EstablishedTunnel is up and running.The tunnel is up, and routes have been configured.
No Incoming PacketsNo incoming packets from peer.No traffic is being received from the peer VPN gateway.

Check high availability status for HA VPN gateways

Note: For configurations that do or don't guarantee 99.99% availability, seeCloud VPN topologies.

To check the high-availability configuration status for tunnels on anHA VPN gateway, use the Google Cloud console, thecompute vpn-gateways get-status command, or thevpnGateways.getStatus method.

The output displays the high-availability redundancyrequirement state for VPN tunnels associated with each peer gateway to which theHA VPN gateway is connected.

The peer gateway can be another HA VPN gateway or anexternal VPN gateway. If there are multiple peer gateways connected to theHA VPN gateway, multiple high-availability configurationstatuses are displayed, one status per each peer gateway.

The command output indicates the correct tunnel amount and coverage in thefollowing ways:

  • VPN gateways configured with adequate redundancy (coverage) show thefollowing status:
    HighAvailabilityRedundancyRequirementState: CONNECTION_REDUNDANCY_MET.
  • VPN gateways that are not configured with adequate redundancy show thefollowing status:
    HighAvailabilityRedundancyRequirementState: CONNECTION_REDUNDANCY_NOT_MET.
  • If there are not enough tunnels configured between yourHA VPN gateway and another HA VPNgateway or a peer gateway, the command output shows the following status:
    redundancyUnsatisfiedReason: INCOMPLETE_TUNNELS_COVERAGE.

For additional information, seeView logs and metrics.

Console

  1. In the Google Cloud console, go to theVPN page.

    Go to VPN

  2. To view gateway details for the gateway and its tunnels, clickGateway name. For HA VPN gateways, you can alsoview high-availability status for the gateway.

gcloud

To display tunnel status for the HA VPN gateway,run the following command. Replace the following:

  • GW_NAME: the name of the HA VPNgateway
  • REGION: the region where the gateway resides
gcloud compute vpn-gateways get-statusGW_NAME \    --region=REGION

The following command output example shows information for anHA VPN gateway connected to a peer gateway with twointerfaces:

  peerGateways:  — peerExternalGateway: peer-gw  tunnels:  — localGatewayInterface: 0    peerGatewayInterface: 0    tunnelUrl:    https://www.googleapis.com/compute/v1/projects/PROJECT_ID/    regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0  — localGatewayInterface: 1    peerGatewayInterface:1    tunnelUrl:    https://www.googleapis.com/compute/v1/projects/PROJECT_ID/    regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1HighAvailabilityRedundancyRequirementState:      state: CONNECTION_REDUNDANCY_MET

The following command output example is for two HA VPNgateways connected to each other. For this type of configuration, run thecommand for each HA VPN gateway name:

  • Getting status forha-vpn-gw-a shows its connection toha-vpn-gw-b:

    peerGateways:— peerGcpGateway: ha-vpn-gw-btunnels:— localGatewayInterface: 0  peerGatewayInterface: 0  tunnelUrl:  https://www.googleapis.com/compute/v1/projects/PROJECT_ID/  regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0— localGatewayInterface: 1  peerGatewayInterface: 1  tunnelUrl:  https://www.googleapis.com/compute/v1/projects/PROJECT_ID/  regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1HighAvailabilityRedundancyRequirementState:    state: CONNECTION_REDUNDANCY_MET

  • Getting status forha-vpn-gw-b shows its connection toha-vpn-gw-a:

    peerGateways:— peerGcpGateway: ha-vpn-gw-atunnels:— localGatewayInterface: 0  peerGatewayInterface: 0  tunnelUrl:  https://www.googleapis.com/compute/v1/projects/PROJECT_ID/  regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0— localGatewayInterface: 1  peerGatewayInterface: 1  tunnelUrl:  https://www.googleapis.com/compute/v1/projects/PROJECT_ID/  regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1HighAvailabilityRedundancyRequirementState:    state: CONNECTION_REDUNDANCY_MET

The following command output example is for one HA VPNgateway connected to an AWS virtual gateway with two connections andfour IP addresses:

  peerGateways:  - peerExternalGateway: peer-gw  tunnels:   - localGatewayInterface: 0     peerGatewayInterface: 0     tunnelUrl:     https://www.googleapis.com/compute/v1/projects/PROJECT_ID/     regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-0-ip0   - localGatewayInterface: 0     peerGatewayInterface: 1     tunnelUrl:     https://www.googleapis.com/compute/v1/projects/PROJECT_ID/     regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-0-ip1   - localGatewayInterface: 1     peerGatewayInterface: 2     tunnelUrl:     https://www.googleapis.com/compute/v1/projects/PROJECT_ID/     regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-1-ip0   - localGatewayInterface: 1     peerGatewayInterface: 3     tunnelUrl:     https://www.googleapis.com/compute/v1/projects/PROJECT_ID/     regions/us-central1/vpnTunnels/tunnel-a-to-aws-connection-1-ip1HighAvailabilityRedundancyRequirementState:       state: CONNECTION_REDUNDANCY_MET

The following command output example is for two HA VPNgateways connected to each other with a single tunnel. This configurationdoes not meet the 99.99% availability SLA:

  peerGateways:    - peerGcpGateway: ha-vpn-gw-a    tunnels:    - localGatewayInterface: 0      peerGatewayInterface: 0      tunnelUrl:      https://www.googleapis.com/compute/v1/projects/PROJECT_ID/      regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0HighAvailabilityRedundancyRequirementState:        state: CONNECTION_REDUNDANCY_NOT_MET      detailedStatus:        redundancyUnsatisfiedReason: INCOMPLETE_TUNNELS_COVERAGE

API

To get the status of a specific HA VPN gateway in aspecific project and region, make a GET request by using thevpnGateways.getStatusmethod:

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/GATEWAY_NAME/getStatus

Check BGP status

For tunnels that use dynamic routing with BGP, you cancheck Cloud Router statusto view details such as the status of a router's BGP sessions or the routes thatthe Cloud Router is advertising.

What's next

  • To use high-availability and high-throughput scenarios or multiplesubnet scenarios, seeAdvanced configurations.
  • To help you solve common issues that you might encounter when usingCloud VPN, seeTroubleshooting.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.