Troubleshoot AWS Site-to-Site VPN IKEv1 and IKEv2 errors using AWSSupport-TroubleshootVPN runbook.

Note: This automation doesn’t rectify the errors. It runs for the mentioned time range and scans the Amazon CloudWatch Logs group for errors.

The runbook runs a parameter validation to confirm the following:

• The Amazon CloudWatch Logs group included in the input parameter exists.
• There’s a log stream in the log group that corresponds to the VPN tunnel logging.
• The VPN connection ID exists.
• The Tunnel IP address exists.

The automation makes CloudWatch Logs Insights API calls on your CloudWatch Logs group that’s configured for VPN logging.

Note: You can find the pricing related to CloudWatch Logs Insights API in Amazon CloudWatch pricing page.

Resolution

Prerequisites

• Make sure you’ve activated logging for your VPN connections.
• Before you begin, make sure your AWS Identity and Access Management (IAM) user or role has these required IAM permissions:

 logs:DescribeLogGroups
    logs:GetQueryResults
    logs:DescribeLogStreams
    logs:StartQuery (can be scoped to a specific log group) 
    ec2:DescribeVpnConnections

Set up the automation workflow

Follow these steps to configure the automation workflow:

Step 1: Navigate to the AWS Systems Manager console.

Step 2: In the navigation pane, choose Documents.

Step 3: In the search bar, type the following AWSSupport-TroubleshootVPN.

Step 4: Choose AWSSupport-TroubleshootVPN.

Step 5: Choose Execute automation.

Step 6: For the input parameters, enter the following:

• AutomationAssumeRole (optional): The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.

• LogGroupName (required): The Amazon CloudWatch log group name to be validated. This must be the CloudWatch log group which is configured for VPN to send logs to.

• VpnConnectionId (required): The AWS Site-to-Site VPN connection id whose log group is traced for VPN error.

• TunnelAIPAddress (required): The tunnel A IP address associated with your AWS Site-to-Site VPN connection.

• TunnelBIPAddress(optional): The tunnel B IP address associated with your AWS Site-to-Site VPN connection.

• IKEVersion (required): Select what IKEversion you are using. Allowed values : IKEv1, IKEv2.

• StartTimeinEpoch (optional): The beginning of the time range to query for error. The range is inclusive, so the specified start time is included in the query. Specified as epoch time, the number of seconds since January 1, 1970, 00:00:00 UTC .

• EndTimeinEpoch (optional): The end of the time range to query for errors. The range is inclusive, so the specified end time is included in the query. Specified as epoch time, the number of seconds since January 1, 1970, 00:00:00 UTC .

• LookBackPeriod (optional): Time in hours to look back to query for error.

Note: If you choose the time window for error tracing, use either StartTimeinEpoch and EndTimeinEpoch , or LookBackPeriod.

If you give all StartTimeinEpoch, EndTimeinEpoch and LookBackPeriod then LookBackPeriod takes precedence.

For LookBackPeriod, give a two-digit number from 01 to 99 in hours to check for errors from the automation’s start time. Or, if the error is in the past within a specific time range, include StartTimeinEpoch and EndTimeinEpoch, instead of LookBackPeriod.

Step 7: Choose Execute Note that the automation workflow is now running.

Step 8: When done, review the Outputs section in the Systems Manager console for detailed results. The output lists each error, with its resolution, and a total number of the unique errors logged.

If you have any questions and need further guidance or assistance, please contact AWS Support via a support case.

Related information

Run an automation

Setting up Automation

Systems Manager Automation runbook reference