Hosted Core VPN Trouble-shooting

From YateBTS
Jump to: navigation, search

This page describes how to diagnose and correct problems related to the VPN connection between YateBTS products (LabKit, SatSite) and the Hosted Core.

The VPN

YateBTS products connect to the Hosted Core through a VPN, using OpenVPN.

In the VPN:

  • The Hosted Core YateUCN server has IP addresses 100.127.0.1 and 100.127.128.1.
  • The product IP address is in the range 100.127.0.x or 100.127.128.x.

The two parts of the product IP address range use different MTU sizes.

Signs of VPN Problems

A bad VPN connection will produce these symptoms:

  • phones see the network in and shows it in the network list, but cannot connect to it
  • log shows messages at the WARN level about lost S1 connections
    • "S1-MME SCTP link DOWN"
  • Zabbix monitoring for the product shows the trigger "S1AP Link Down"
  • In some cases, older or cheaper handsets work, but newer, more complex handsets cannot connect to the network.

If you can ping 8.8.8.8 but cannot ping 100.127.0.1 or 100.127.128.1, you definitely have a VPN problem.

If you cannot ping 8.8.8.8, you have a more general problem with your IP connection that must be resolved first.

If can can ping 8.8.8.8 and also 100.127.0.1 (or 100.1270.128.1), but still have the symptoms described above, you might have a more complex VPN problem that requires additional diagnosis.

Causes of VPN Problems

These are the common causes of VPN problems:

  • Slow DHCP service. The VPN tries to start before the network interface has been configured by the local DHCP server.
  • Failed DNS. Some older products may require DNS to access the VPN.
  • Firewalls. An IP firewall between the product and the HC is breaking your VPN.
    • This may be a local corporate firewall, or a government firewall (China, India, for example).
    • Some firewall problems are intermittent, where the VPN is allowed to start, but
      • gets terminated after a certain time , or
      • gets terminated if bandwidth exceeds a certain limit.
  • Poor IP connectivity. If the underlying IP connection is poor or intermitent, the VPN connection will be even worse.
  • MTU problems. Somewhere between the product and the HC, the network has an smaller-than-expected MTU size and some network segment is failing to return the ICMP packets required for path MTU discovery.