Skip to main content
Version: v24.12.13

Hub & Spoke Troubleshooting

This document gives you steps to fix VPN connection problems that act like hubs and spokes on a wheel. When things aren't working right, you might have trouble connecting or the VPN isn't working at all. The steps here will help you check the settings to make sure everything is set up correctly and that the various parts of the VPN, such as OpenVPN and IPsec, are working properly.

Issue: Configuration Mismatch

Symptom

  • The spoke LAN is unable to communicate with the hub.
  • Latency issues or intermittent connectivity between hub and spoke.
  • Hub and spoke sites cannot communicate properly.

Troubleshooting Steps

1. Access the CE Terminal

  • Log in to the CE terminal with superuser privileges to perform diagnostic checks.
sudo su -

2. Checking OpenVPN Configuration

  • Run the following command to check the OpenVPN configuration in the last applied settings:
cat /tmp/last_config_response.json | jq .interfacesConfig.openVpn

3. Checking Network Configuration

  • Verify the network configuration file to ensure proper interface settings:
sudo cat /etc/config/network

4. Checking Apinger (Network Monitoring)

  • Apinger monitors network status and latency. Check its configuration:
cat /etc/config/apinger
  • Check the current Apinger status:
cat /tmp/apinger.status

5. Checking IPsec Configuration

  • Verify the IPsec configuration in the last applied settings:
cat /tmp/last_config_response.json | jq .ipsecConfig

6. Checking Libreswan (IPsec Service)

  • Validate the Libreswan configuration file:
cat /etc/config/libreswan

7. Checking OpenVPN Logs

  • Review OpenVPN logs for errors:
logread -e openvpn

8. Checking IPsec Status

  • To check if the IPsec service is running, execute:
/etc/init.d/ipsec status
  • If the IPsec service is not running, start it by executing:
/etc/init.d/ipsec start
  • If you need to stop the IPsec service, use the following command:
/etc/init.d/ipsec stop

Verify Network Connectivity:

Make sure the CE device has a valid IP address, subnet mask, and gateway. Use the following command to check network configuration:

uci show network

(Example Response):

root@Backup_node:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.@globals[0]=globals
network.@globals[0].packet_steering='1'
network.eth0=interface
network.eth0.device='eth0'
network.eth0.default_wan='1'
network.eth0.disabled='0'
network.eth0.proto='static'
network.eth0.ipaddr='172.20.10.8'
network.eth0.netmask='255.255.255.0'
network.eth0.dns='172.20.10.1'
network.eth3=interface
network.eth3.device='eth3'
network.eth3.proto='static'
network.eth3.netmask='255.255.255.0'
network.eth3.disabled='0'
network.eth3.ipaddr='172.30.1.1'
network.@rule[0]=rule
network.@rule[0].priority='901'
network.@rule[0].lookup='main'
network.wlm0=interface
network.wlm0.disabled='1'
network.wlm0.proto='3g'
network.wlm0.pppname='wlm0'
network.wlm0.device='ttyUSB0'
network.wlm0.apn='comgt'
network.wlm0.ipv6='0'
network.wlm0.delegate='0'
network.wlm0.metric='2'
network.wlm0.ip4table='2'
network.f85c71f21c3040bdb4abcd168fa8e900=route
network.f85c71f21c3040bdb4abcd168fa8e900.target='172.30.2.0'
network.f85c71f21c3040bdb4abcd168fa8e900.netmask='255.255.255.0'
network.f85c71f21c3040bdb4abcd168fa8e900.gateway='172.31.0.2'
network.f85c71f21c3040bdb4abcd168fa8e900.table='main'
network.f85c71f21c3040bdb4abcd168fa8e900.proto='static'
network.f85c71f21c3040bdb4abcd168fa8e900.metric='1'
network.f85c71f21c3040bdb4abcd168fa8e900.interface='br25'
network.1777530465de4eafada07376f1239abf=route
network.1777530465de4eafada07376f1239abf.target='172.30.1.0'
network.1777530465de4eafada07376f1239abf.netmask='255.255.255.0'
network.1777530465de4eafada07376f1239abf.gateway='172.31.0.1'
network.1777530465de4eafada07376f1239abf.table='main'
network.1777530465de4eafada07376f1239abf.proto='static'
network.1777530465de4eafada07376f1239abf.metric='1'
network.eth1=interface
network.eth1.proto='static'
network.eth1.device='eth1'
network.eth1.ipaddr='100.100.100.2'
network.eth1.netmask='255.255.255.0'
network.eth1.dns='172.20.10.1'

This output contains information about network settings such as IP address, netmask and DNS server for each interface pay particular attention to the interface used for WAN connectivity ( in this example, probably eth0). It must have a valid IP address and configured DNS server too. In any case, wrong network settings can block the access of the essential for accessing various networks. Ensure that the routes required to access the hiCloud server are properly configured.

Check hiCLOUDS Configuration:

The configuration on the CE device can be verified using the following command.

uci show hiclouds

(Example Response):

root@Backup_node:~# uci show hiclouds
hiclouds.globals=hiclouds
hiclouds.globals.hub='hub.hi-clouds.com'
hiclouds.globals.uri='deviceApi/getEndpointUrl'
hiclouds.globals.request_timeout='30'
hiclouds.globals.machine_id='33b01673-94a7-343e-b403-8c47cabac692'
hiclouds.globals.router_id='08:00:27:82:fc:73'
hiclouds.globals.endpoint='dev.hi-clouds.com'
hiclouds.globals.device_id='677e6da4ab30043a8492148a'
hiclouds.globals.auth_token='eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiI2NzdlNmRhNGFiMzAwNDNhODQ5MjE0OGE6OmNlOjozM2IwMTY3My05NGE3LTM0M2UtYjQwMy04YzQ3Y2FiYWM2OTI6OjA4OjAwOjI3OjgyOmZjOjczIiwiaWF0IjoxNzM4NjcxOTg5LCJleHAiOjE3Mzg2NzU1ODl9.JU0WBSCzpCbS8PTPypXoCvjka01IKcuKVm54YJnPjtt9jUZdF_5fTyraDc3oirSh67ZzKU7MbYo7Osy84AmoeA'
hiclouds.register=hiclouds
hiclouds.register.interval='30'
hiclouds.register.uri='api/deviceApi/v1/devices/register'
hiclouds.status=hiclouds
hiclouds.status.keepalive_interval='10'
hiclouds.status.status_interval='30'
hiclouds.status.uri='api/deviceApi/v1/devices'
hiclouds.config=hiclouds
hiclouds.config.uri='api/deviceApi/v1/devices'
hiclouds.config.revision='64bd463d-f6ae-4cfc-b89d-c4d74b63a382'
hiclouds.edge=hiclouds_edge
hiclouds.edge.type='CE'
hiclouds.hiclouds=hiclouds
hiclouds.hiclouds.version='22.03.5'
hiclouds.hiclouds.build='b75'
root@Backup_node:~# uci show hiclouds
hiclouds.globals=hiclouds
hiclouds.globals.hub='hub.hi-clouds.com'
hiclouds.globals.uri='deviceApi/getEndpointUrl'
hiclouds.globals.request_timeout='30'
hiclouds.globals.machine_id='33b01673-94a7-343e-b403-8c47cabac692'
hiclouds.globals.router_id='08:00:27:82:fc:73'
hiclouds.globals.endpoint='dev.hi-clouds.com'
hiclouds.globals.device_id='677e6da4ab30043a8492148a'
hiclouds.globals.auth_token='eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiI2NzdlNmRhNGFiMzAwNDNhODQ5MjE0OGE6OmNlOjozM2IwMTY3My05NGE3LTM0M2UtYjQwMy04YzQ3Y2FiYWM2OTI6OjA4OjAwOjI3OjgyOmZjOjczIiwiaWF0IjoxNzM4NjcxOTg5LCJleHAiOjE3Mzg2NzU1ODl9.JU0WBSCzpCbS8PTPypXoCvjka01IKcuKVm54YJnPjtt9jUZdF_5fTyraDc3oirSh67ZzKU7MbYo7Osy84AmoeA'
hiclouds.register=hiclouds
hiclouds.register.interval='30'
hiclouds.register.uri='api/deviceApi/v1/devices/register'
hiclouds.status=hiclouds
hiclouds.status.keepalive_interval='10'
hiclouds.status.status_interval='30'
hiclouds.status.uri='api/deviceApi/v1/devices'
hiclouds.config=hiclouds
hiclouds.config.uri='api/deviceApi/v1/devices'
hiclouds.config.revision='64bd463d-f6ae-4cfc-b89d-c4d74b63a382'
hiclouds.edge=hiclouds_edge
hiclouds.edge.type='CE'
hiclouds.hiclouds=hiclouds
hiclouds.hiclouds.version='22.03.5'
hiclouds.hiclouds.build='b75'

This output displays the hiCLOUDS-related configurations, such as the hub address, endpoint, deviceId, authToken, and the keepalive_interval. Check whether the hub and endpoint are correct and if the authToken is valid and non-expired. The keepalive_interval specifies how often the device is set to send Keepalive requests. A very short interval may cause unnecessary overloading of the network, while a too big interval may cause the device to be determined as offline in case connectivity is temporarily lost