AWS site to site VPN routing issue

Question

We have a site to site VPN setup between AWS and our Checkpoint firewalls with dynamic BGP routing.  On the checkpoint side I see traffic going over the VPN tunnel to AWS, but I do not see any return traffic.  I am trying to ping an AWS linux EC2 instance.  To complicate matters, due to company policy, I can not create a public interface on the EC2 instance, so I cannot ssh into the EC2 instance to do a tcpdump to see if the icmp packets are being received.  Any advice on troubleshooting this?

Accepted Answer

To access the Linux instance you might try the [EC2 Serial Console](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-serial-console.html).

Otherwise, one common issue with site-to-site VPNs is where NAT is enabled on the firewall side. In the settings for the connection make sure that NAT is disabled.

Answer

Looks like it was the NAT was enabled on the firewall.  Thank you for the help.

Answer

A great tool is also the VPC Reachability Analyzer. You can define a path from the VPN gateway to the ENI of the instance and it will check everything from routing to Security Groups. This makes sure that all configuration on the AWS side is properly checked. Otherwise it will tell you which routing table, security group, etc. is the source of your issue

Another thing you might be able to do is to activate VPC flow logs. This helps you to see all the traffic flows inside the VPC, so you can see where the packets are flowing from and to. If you use CloudWatch Logs as destination you can use CloudWatch Log Insights to query the records quite comfortably.

And please make sure that the network ranges you try to connect are properly covered by the IPSEC SA definition.

AWS site to site VPN routing issue

Relevanter Inhalt