How do I troubleshoot issues with traffic routing over Site-to-Site VPN?
I want to troubleshoot issues with traffic routing over AWS Site-to-Site VPN.
Resolution
The following reasons can cause issues with traffic routing over Site-to-Site VPN:
- An incorrectly configured route table
- Dynamic routing errors
- Static routing errors
- An incorrect configuration between AWS and your on-premises device
- An intermittent or unstable VPN connection
- Traffic that isn't routed or doesn't reach its destination
Download the example configuration file that corresponds with your customer gateway device, and use the file to troubleshoot routing issues.
Make sure that the customer gateway device's firewall policy allows traffic between AWS and your on-premises device.
Incorrectly configured route table
On the transit gateway or virtual private cloud (VPC) route tables, verify that the on-premises prefixes match the VPN connection's gateway type.
If the connection uses a transit gateway, then verify that the transit gateway route table is associated with the traffic source and the VPN attachment. Also, the transit gateway must contain routes for the on-premises prefixes that point towards the VPN connection and the VPC attachment.
Dynamic routing errors
If the connection uses dynamic routing, then verify the following configurations:
- The customer gateway advertises the on-premises prefixes from the Border Gateway Protocol (BGP) session on the Site-to-Site VPN tunnel.
- The route maps on the customer gateway device allow the on-premises prefixes that are advertised over the BGP session.
- The AWS Direct Connect routes are prioritized over the Site-to-Site VPN routes.
If you correctly set up the preceding configurations but the BGP continues to fail, then troubleshoot BGP connection issues over VPN.
Static routing errors
If the connection uses a virtual private gateway, then verify that the VPN connection includes a static route for the on-premises network.
Make sure that the customer gateway has static routes for the VPC CIDR that points to the correct virtual tunnel interface.
If you're using an accelerated VPN connection, then verify that NAT-traversal (NAT-T) is active on the customer gateway device.
Activate Amazon Virtual Private Cloud (Amazon VPC) Flow Logs on the destination instance, then verify that the traffic is received.
Incorrect configuration between AWS and your on-premises device
Verify that routes are correctly configured to and from AWS and your on-premises device.
If there's a policy-based VPN on the customer gateway side, then verify the following configurations:
- The local IPv4 network CIDR and remote IPv4 network CIDR tunnel options on AWS and your on-premises device match.
- The encryption domain includes the necessary traffic.
Use Amazon CloudWatch to monitor the TunnelDataIn and TunnelDataOut tunnel metrics.
Troubleshoot intermittent or unstable VPN connections
AWS limits the number of security associations (SAs) to a single pair for inbound and outbound SAs. If the VPN connection requires multiple networks, then summarize the local and remote CIDR on the VPN connections to use one SA.
If the status of both tunnels is Active, then verify that the customer gateway device supports asymmetric routing.
Traffic that isn't routed or doesn't reach its destination
Verify that the VPC's security group and subnet network access control list (network ACL) allow the necessary traffic.
If the connection uses an Amazon VPC transit gateway, then verify that the transit gateway attachment's subnet network ACLs allow the necessary traffic. Use Amazon VPC transit gateways flow logs to verify that the traffic is routed correctly.
Related Information
How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
- Argomenti
- Networking & Content Delivery
- Lingua
- English
