Skip to main content

Two-Spoke Setup (Hub, Hub Link, PE, CE Link PE) Troubleshooting

Two-Spoke Network Setup provides troubleshooting steps for connectivity and configuration issues. These include starting from the CE terminal, configuration checks, network connectivity tests, interface status checks, route inspection, firewall rule analysis, and examining log files. By following these steps, you can identify and resolve network communication issues.

Access the CE Terminal

Before you start troubleshooting, you must have the necessary permissions to run the commands. To do this, run the following command.

sudo su -

Checking OpenVPN Configuration

Run this command to view the OpenVPN configuration in the last applied settings:

cat /tmp/last_config_response.json | jq .interfacesConfig.openVpn

Verify VPN Tunnel Status (PE Connectivity)

The PE device should be successfully connected via CE. There should be three tunnels visible: two for the hub and one for the PE. Both should be in the active state (usually shown in green).

  • What to look for:
    • A tunnel connected to the hub.
    • A tunnel connected to the PE.

Verify CE to PE Connectivity

Once the CE connection is established on the PE, check if the CE device is communicating with the PE properly.

  • Please visit the documentation for the CE-to-PE connection. This typically involves verifying the connections between the CE and PE.

  • After connecting CEs to PEs, they form "peers" that can connect and communicate with each other, and CEs must remain connected.

Verify Hub to CE Connectivity (Routing Check)

The CE-PE connectivity has been established. Proceed to verify end-to-end routing to ensure hub-to-CE communication is functional.

Ping the CE's LAN IP from the hub:

ping CE_LAN_IP

Replace CE_LAN_IP with the local area network (LAN) IP address of the Customer Edge (CE) device. If the ping fails, it indicates a routing issue.

Check the routing configuration on the hub and PE:

Refer to the routing troubleshooting documentation to ensure routing is correctly configured on both the hub and the PE. This enables data flow through the OpenVPN tunnel between the hub and the CE's network

If the hub's LAN and the CE's LAN cannot communicate, a static route may need to be added on the hub for the CE's LAN, and similarly, a route may be required on the CE for the hub's LAN.

If routing is not working, check the routing table:

ip ro list

This command shows all the routes on the device. Among them, find the routes going from the VPN tunnel or PE network to the CE network.

Firewall and Log Checks

Finally, check the firewall rules and logs for any problems or errors.

Check Firewall Rules:

show firewall rules

Check the firewall rules on both the hub and PE devices. Make sure there are no rules blocking traffic between the hub and PE, especially on the VPN tunnel. Allow traffic on the VPN interface if necessary.

Check Routing Logs:

logread | grep route

This command searches the system log for information related to "routes". It checks for changes made to the routing table, new routes added or removed, and any errors or warnings.

Check openvpn Logs:

logread | grep openvpn

This command searches for OpenVPN-related information in the system logs. It reveals any errors related to tunnel creation, authentication, certificate validation, or connection failures. These logs are useful for identifying why OpenVPN tunnels are not starting or are frequently disconnected.