


 Short description
------------------



When you use a policy-based VPN connection to connect to an AWS VPN endpoint, AWS limits the number of security associations to a single pair. The single pair includes one inbound and one outbound security association.


Policy-based VPNs with more than one pair of security associations will drop existing connections when new connections with different security associations initiate. This behavior indicates that a new VPN connection has interrupted an existing one.



 Resolution
-----------



Limit the number of encryption domains (networks) with access to your VPC. If you have more than one encryption domain behind your VPN's [customer gateway](https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html), then configure them to use a single security association. To check if multiple security associations exist for your customer gateway, see the [Troubleshooting your customer gateway device](https://docs.aws.amazon.com/vpc/latest/adminguide/Troubleshooting.html).


[Configure your customer gateway](https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-configure-customer-gateway-device) to allow any network behind the customer gateway (0.0.0.0/0) with a destination of your VPC Classless Inter-Domain Routing (CIDR) to pass through the VPN tunnel. This configuration uses a single security association, which improves tunnel stability. This configuration also allows networks that aren't defined in the policy to access the VPC.


If possible, implement a traffic filter on your customer gateway to block unwanted traffic to your VPC. [Configure security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#creating-security-groups) to specify what traffic can reach your instances. Also configure [network access control lists (network ACLs)](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) to block unwanted traffic to subnets.





---




 Related information
--------------------



[Why is IKE (phase 1 of my VPN tunnel) failing in Amazon VPC?](https://repost.aws/knowledge-center/vpn-tunnel-phase-1-ike)


[Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?](https://repost.aws/knowledge-center/vpn-tunnel-phase-2-ipsec)







I'm using a policy-based virtual private network (VPN) to connect to my AWS Virtual Private Network (AWS VPN) endpoint in Amazon Virtual Private Cloud (Amazon VPC). I'm experiencing problems, such as packet loss, intermittent or no connectivity, and general network instability, and want to troubleshoot these issues.

Troubleshoot connection problems for AWS VPNs

How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

Redes y entrega de contenido

¿Cómo accedo a Internet mediante Site-to-Site VPN en mi red local?

¿Cómo puedo crear una VPN basada en el enrutamiento dinámico con un firewall de Palo-Alto y una VPN de AWS?

¿Cómo calculo el ancho de banda y configuro una alarma de CloudWatch para las conexiones de AWS Direct Connect, AWS Site-to-Site VPN o Transit Gateway?

¿Cómo puedo permitir la comunicación entre múltiples VPC desde una conexión de VPN única conectada a mi puerta de enlace de tránsito sin permitir el acceso entre las VPC?

How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

Short description

Resolution

Related information

Contenido relevante