How do I troubleshoot AWS VPN tunnel inactivity or tunnel down on my customer gateway device?

Resolution

Common reasons for AWS VPN tunnel inactivity or instability on a customer gateway device include the following:

• Problems with Internet Protocol Security (IPsec) dead peer detection (DPD) monitoring
• Idle timeouts due to low traffic on a VPN tunnel or vendor-specific customer gateway configuration issues
• Rekey issues for phase 1 or phase 2
• A policy-based VPN connection on the customer gateway device is causing intermittent connectivity issues

Check DPD settings

If a VPN peer doesn't respond to three successive DPDs, then the peer is considered dead, and the tunnel is closed.

If your customer gateway device has DPD turned on, then be sure that the following are true:

• It's configured to receive and respond to DPD messages
• It isn't too busy to respond to DPD messages from AWS peers
• It isn't rate limiting DPD messages because IPS features are turned on in the firewall
• It doesn't have internet transit issues

Troubleshoot idle timeouts

If you're experiencing idle timeouts that are caused by low traffic on a VPN tunnel, then check the following:

• Confirm that there's constant bidirectional traffic between your local network and your virtual private cloud (VPC). If necessary, create a host that sends ICMP requests to an instance in your virtual private cloud (VPC) every 5 seconds.
• Review your VPN device's idle timeout settings using information from your device's vendor. If there's no traffic through a VPN tunnel for the duration of your vendor-specific VPN idle time, then the IPsec session ends. Check your vendor documentation for your specific device.

Troubleshoot rekey issues for phase 1 or phase 2

If you're experiencing rekey issues that are caused by phase 1 or phase 2 mismatch on a VPN tunnel, then check the following:

• Review the phase 1 or phase 2 lifetime fields on the customer gateway. Make sure that these fields match the AWS parameters. It's a best practice to uncheck parameters in the VPN tunnel options that aren't needed with the customer gateway for the VPN connection.
• Make sure that perfect forward secrecy (PFS) is activated on the customer gateway device. PFS is activated on the peer on the AWS side, by default.
• Make sure that inbound traffic to UDP ports 500 [IKE], 4500 [NAT-T], and IP 50 [ESP] on the customer gateway allow rekeys for the AWS endpoint.

Note: The IKEv2 lifetime value field is independent of peers. So, if you set a lower lifetime value, then the peer always initiates the rekey.

For more information, see Tunnel options for your Site-to-Site VPN connection and Your customer gateway device.

Troubleshoot intermittent connectivity issues

Intermittent connectivity issues might be caused by the policy based configuration on your customer gateway device. You might also experience intermittent connectivity issues because you're using multiple encryption domains or proxy-IDs.

• Limit the number of encryption domains (networks) that have access to your VPC. If you have more than one encryption domain behind your VPN's customer gateway, then configure them to use a single security association. To check if multiple security associations exist for your customer gateway, see Troubleshooting your customer gateway device.
• Configure your customer gateway device to allow any network behind the customer gateway (0.0.0.0/0) with a destination of your VPC Classless Inter-Domain Routing (CIDR) to pass through the VPN tunnel. This configuration uses a single security association, which improves tunnel stability. This configuration also allows networks that aren't defined in the policy to access the VPC.

For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

Related information

The VPN tunnel between my customer gateway and my virtual private gateway is Up, but I am unable to pass traffic through it. What can I do?