Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

VPN Tunnel is UP and the traffic is reaching AWS instance but not on on-premise side

0

We have Setup A & Setup B which are using two separate accounts and has their own public IP.

Both the Setup has AWS S2S VPN (VPG method, Static Routing ) configured with pfsense installed in a PC.

Setup A is working Well no issues! but Setup B( it was working fine before ) is not working, even in the same configuration.

Tunnels are UP & traffic is reaching AWS but not on-premise side. No issues found in Reachability Analyzer too.

Any idea what might be the issue?

Temas
Redes y entrega de contenido
Etiquetas
Amazon VPCPuerta de enlace privada virtual de VPCRed privada virtual (VPN) de AWS
Idioma
English
karan
preguntada hace 4 meses171 visualizaciones
2 Respuestas
0

If the VPC cidrs are the same and you’re using this on your routing configuration it will not work.

Can you confirm there is no IP overlap.

How do you know it reaches AWS but not onprem?

Also even though it may say up in the AWS gui the CloudWatch logs can report down for ike phase 2.

profile picture
EXPERTO
Gary Mclean
respondido hace 4 meses
  • karan
    hace 4 meses

    Thanks for your response!

    There is no IP overlap(on-prem uses 192.x.x.x & AWS uses 172.x.x.x CIDR).

    I've found out by packet capturing on both sides using Wireshark.

    The tunnels are up and packets are reaching AWS so i don't think it will have issues with phase 2 ike but Will try getting logs from CloudWatch.

  • Gary Mclean EXPERTO
    hace 4 meses

    Both A and B you can see packets at both sides? Do you have 1 or 2 tunnels per S2S connection? Your not using the default AWS VPC's?

  • karan
    hace 4 meses

    Hi Gary, Thank for the follow-up.

    I tried redoing the setup from scratch again and its working now.

    I genuinely don't know what's the issue as i followed the same steps as before.

0

Since the setup B was working fine before, there are few things you can validate to identify the issue.

  1. Can you please validate if any configuration changes were made on either side?
  • On AWS side, you can leverage CloudTrail.

  1. Initiate traffic from both sides

  2. Capture traffic on the PC or edge router on the customer end

  3. Also, since traffic is not reaching as expected, you can bounce the tunnel(both phases) to check if that helps.

profile pictureAWS
H_Shah
respondido hace 4 meses
  • karan
    hace 4 meses

    Thanks for your response!

    Used pfsense(on-prem) & Wireshark in an AWS instance for packet capture.

    No traffic is reaching pfsense from AWS but packets from on-prem is reaching AWS.

    I am thinking of recreating the Setup B from scratch and use CloudTrail & CloudWatch if the issue still exists.

    will update if there's any progress.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante