How do I check the current status of my VPN tunnel?

3 minute read
0

I don't see traffic to and from my Amazon Virtual Private Cloud (Amazon VPC) through an AWS Virtual Private Network (VPN) connection. I want to check the status of my VPN tunnel.

Resolution

Use the Amazon VPC console to check a tunnel's status, then use Amazon CloudWatch to monitor the tunnel's status.

Use the Amazon VPC console to check the tunnel's current status

Prerequisite: Verify whether you are using static or dynamic Site-to-Site VPN routing. VPN devices that don't support Border Gateway Protocol (BGP) must use static routing. VPN devices that support BGP can use dynamic routing.

If you use a static VPN, then complete the following steps:

  1. Sign in to the Amazon VPC console.
  2. In the navigation pane, under Site-to-Site VPN Connections, choose Site-to-Site VPN Connections.
  3. Select your VPN connection.
  4. Choose the Tunnel Details view.
  5. Review the Status of your VPN tunnel.
  6. If the tunnel status is UP, then choose the Static Routes view.
    Note: Be sure to specify all private networks behind your on-premises firewall.
  7. If the tunnel status is DOWN, then verify that your on-premises firewall is properly configured. For more information, see Firewall rules for your customer gateway device.
  8. Turn on route propagation in your VPC route table.

If you use a dynamic VPN with BGP, then complete the following steps:

  1. Sign in to the Amazon VPC console.
  2. In the navigation pane, under Site-to-Site VPN Connections, choose Site-to-Site VPN Connections.
  3. Select your VPN connection.
  4. Choose the Tunnel Details view.
  5. Review the Status of your VPN tunnel.
  6. If the tunnel status is UP, then verify that the Details column lists at least one BGP route, and then proceed to step 8.
  7. If the tunnel status is DOWN, but IPsec is UP in the Details column, then configure BGP on your firewall. For more information, see Example customer gateway device configurations for dynamic routing.
  8. Verify that the security groups of Amazon Elastic Compute Cloud (Amazon EC2) instances in your VPC allow appropriate access. For more information, see Control traffic to your AWS resources using security groups.
  9. Verify that your local firewall allows the same service in its access control lists (ACLs) and firewall policies. For more information, see Troubleshooting your customer gateway device.

Use Amazon CloudWatch to monitor your VPN tunnel

Use these CloudWatch functions to monitor your VPN tunnel:

  • Check the status of a VPN tunnel.
  • Receive notifications when the status of the tunnel changes.
  • Access metric data over time to help evaluate the tunnel's stability.

Related information

Your customer gateway device

How do I troubleshoot BGP connection issues over VPN?