2 Answers
- Newest
- Most votes
- Most comments
0
There are few things you can check here
- You can leverage Reachability Analyzer to identify configuration issues in a security group, network ACL, route table, or load balancer. https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html
- Validate VPC flow logs in each VPC and transit gateway flow logs to identify if traffic reaches to TGW and the Legacy-Account VPC https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html
- I would check routing table for traffic in both the direction to validate routing path in both direction.
answered 16 days ago
0
My guess is that somewhere in the path there is no route back to 10.56.0.0/16. That could be at the remote end; it could be on the VPN endpoints; it could be in the 10.5.0.0/16 VPC or it could be in the Transit Gateway route table associated with the 10.5.0.0/16 VPC.
You should also check the encryption domain on the two VPN endpoints to ensure that traffic to/from 10.56.0.0/16 is allowed.
When you have packets to/from 10.56.0.0/16 I'd check the debug output on the VPN endpoints to make sure that they are encrypting and decrypting packets (even just seeing counters go up is good); and on 10.200.0.5 I'd do a packet capture to see if you're receiving traffic at all.
Relevant content
- asked 4 months ago
- Accepted Answerasked 4 years ago
- Accepted Answerasked 5 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- How do I monitor my transit gateway and Site-to-Site VPN on a transit gateway using Network Manager?AWS OFFICIALUpdated 2 years ago