Troubleshoot your connection to Google

This document gives troubleshooting guidance for issues related to your connection to Google.

Network Connectivity Gateway

This section gives troubleshooting tips related to Network Connectivity Gateway.

If you need additional assistance, reach out to Cloud Customer Care. You can also see Getting support for more information about support resources, including the following:

• Requirements for opening a support case.
• Tools to help you troubleshoot, such as your environment configuration, logs, and metrics.
• Supported components.

Verify that the controller and gateway Pods are running

• List the Network Connectivity Gateway Pods:

  kubectl --kubeconfig CLUSTER_KUBECONFIG get pods \
      --namespace kube-system | grep ncg
  

  Replace CLUSTER_KUBECONFIG with the path of your cluster kubeconfig file.

  In the output, verify that you see a controller Pod and a gateway Pod. The name of the controller Pod begins with ncg-controller, and the name of the gateway Pod begins with ncgd. For example:

  ncg-controller-5f5d489b68-r87pp     1/1     Running
  ncgd-gvl76                          1/1     Running
  

  Make a note of the name of the gateway Pod. You will need it for various troubleshooting commands.

Check the gateway Pod logs

• Check to see if there are any errors in the logs from the gateway Pod:

  kubectl --kubeconfig CLUSTER_KUBECONFIG logs GATEWAY_POD \
      --namespace kube-system
  

  Replace GATEWAY_POD with the name of your gateway Pod.

Running ncgcli inside the gateway Pod

The gateway Pod has a command-line tool named ncgcli that you can use to get information about the gateway and traffic in the tunnels.

• Use the following command to run ncgcli inside the gateway Pod:

  kubectl --kubeconfig CLUSTER_KUBECONFIG exec -it GATEWAY_POD \
      --namespace kube-system -- ncgCLI_COMMAND
  

  Replace ncgCLI_COMMAND with a ncgcli command.

  For example:

  kubectl --kubeconfig my-kubeconfig exec ncgd-6hkk2 --namespace kube-system \
      -- ncgcli --help
  

The following sections give more examples of ncgcli commands.

IPsec tunnel failed to come up

• Check the status of the NetworkConnectivityGateway custom resource:

  kubectl --kubeconfig CLUSTER_KUBECONFIG get NetworkConnectivityGateway \
      --namespace kube-system --output yaml
  

  In the output, verify that you see Status: Healthy. For example:

  apiVersion: networking.gke.io/v1alpha1
  kind: NetworkConnectivityGateway
  metadata:
    namespace: kube-system
    name: default
  spec:
  status:
    CurrNode: worker1-node
    CreatedTime: 2021-09-07T03:18:15Z
    LastReportTime: 2021-09-21T23:57:54Z
    Status:  Healthy
  

• Check the status of your OverlayVPNTunnel custom resources:

  kubectl --kubeconfig CLUSTER_KUBECONFIG get OverlayVPNTunnel \
      --namespace kube-system --output yaml
  

• Check the status of your tunnels from inside the gateway Pod:

  ncgcli overlay peers show
  

For more information, see Cloud VPN troubleshooting.

Failed to establish BGP session

Verify that you have used link-local IP addresses, such as 169.254.1.2 and 169.254.2.2, for the BGP sessions between the Cloud Router and the gateway Pod in your cluster.

• Check the status of your BGP sessions:

  kubectl --kubeconfig CLUSTER_KUBECONFIG get OverlayBGPPeer \
      --namespace kube-system --output yaml
  

• Check the status of your BGP sessions from inside the gateway Pod:

  ncgcli overlay routes show
  

For more information about troubleshooting your BGP sessions, see the following:

• BGP session states
• Troubleshoot BGP peering
• Troubleshoot BGP routes and route selection

Traffic forwarding issues even if the tunnel is up

If the traffic forwarding fails, run ncgcli inside the gateway Pod to check the status of tunnels, routing, and data plane programming.

• Ensure that IPsec tunnel to the peer is established:

  ncgcli overlay peers show
  

• Confirm that the overlay routes have been exchanged over BGP and resolved to the appropriate IPsec tunnel:

  ncgcli overlay routes show
  

• Display routes programmed in the data plane and the output should include overlay routes:

  ncgcli fast-path routes show
  

Adjust maximum transmission unit

The maximum transmission unit (MTU) is the size, in bytes, of the largest packet supported by a network layer protocol, including both headers and data. If there are traffic issues caused by underlay network MTU limitations, you can configure the MTU on the OverlayVPNTunnel custom resource. The default MTU for the tunnels is 1380 bytes.

To adjust MTU for your tunnels:

1. Check the status of the tunnels:

   kubectl --kubeconfig CLUSTER_KUBECONFIG get OverlayVPNTunnel \
       --namespace kube-system --output yaml
   

   The status section should look like the following example:

   status:
     IfName: ipsec2
     LastTransition: "2022-06-16T07:13:28Z"
     SLA:
       DiscoveredMTU: 1300
       Jitter(ms): 1
       Latency(ms): 26
       Loss(%): "0.00"
   

   If the status.SLA.DiscoveredMTU value is less than the default of 1380, use the following steps to change the Spec.mtu value in your OverlayVPNTunel custom resources to match.

2. Open your OverlayVPNTunnel custom resources for editing with the kubectl edit command:

   kubectl --kubeconfig CLUSTER_KUBECONFIG edit OVERLAY_VPN_TUNNEL_NAME
       --namespace kube-system --output yaml
   

   To avoid packet loss, configure the same MTU for the two OverlayVPNTunnel custom resources used by Network Connectivity Gateway.

3. Set the mtu value to match the DiscoveredMTU value from the first step:

   apiVersion: networking.gke.io/v1alpha1
     kind: OverlayVPNTunnel
     metadata:
       name: vpc2
       namespace: kube-system
     Spec:
       mtu: 1300
       ikeKey:
         name: ike-key
         namespace: kube-system
       localTunnelIP: 169.254.0.2
       peer:
         publicIP: 34.100.10.10
       self:
         publicIP: 70.32.151.5
   

4. To apply your changes, save and close your editor.

For more information about MTU and how it affects traffic performance, see MTU considerations.

See traffic flow and application-level statistics

To see traffic flow and statistics, run ncgcli inside the gateway Pod.

• For an instantaneous view of the flows and traffic applications:

  ncgcli forwarding flows top
  

• For aggregate statistics at the flow level:

  ncgcli forwarding flows aggregates show
  

• For aggregate statistics at the interface level:

  ncgcli interfaces statistics show
  

What's next

If you need additional assistance, reach out to Cloud Customer Care. You can also see Getting support for more information about support resources, including the following:

• Requirements for opening a support case.
• Tools to help you troubleshoot, such as your environment configuration, logs, and metrics.
• Supported components.