I want to troubleshoot packet loss, latency, or intermittent connectivity issues with my AWS Client VPN connection.
Short description
To diagnose packet loss, latency, or intermittent connectivity issues in your Client VPN connection, first test the network to isolate the source of the issue:
- Does this issue affect all users, or only users on a specific internet service provider (ISP) or at a specific remote location?
- How do the affected users connect to your Client VPN? For example, do they connect through a fixed internet connection, a local Wi-Fi hotspot, or a mobile network?
- What device do the users connect from?
- Where are the affected users located in relation to the Client VPN endpoint?
- What resources do users access when they experience packet loss, latency, or intermittent connectivity issues?
- Does the user still experience packet loss, latency, or intermittent connectivity issues to external resources when not connected to Client VPN?
Resolution
Review how users connect to the Client VPN endpoint
Users on a mobile network or Wi-Fi hotspot
Users might have a poor connection with a low signal. If a user accesses a hotspot in a shared location, then the user might experience bandwidth restrictions.
To troubleshoot this issue, have your users test connection speeds with a performance tool, such as the Speedtest website. It's a best practice to test from the same AWS Region as the Client VPN endpoint. Or, on Windows, macOS, or Linux-based systems, use ICMP to test connectivity to the default gateway.
Check the stability of a Wi-Fi hotspot connection:
Ping <Default Gateway IP>
Note: Replace Default Gateway IP with the IP address of the default gateway.
If there's a poor connection or bandwidth constraints, then it's a best practice to connect with a faster or more stable connection.
Users in different geographic locations
Review where users are located in relation to your Client VPN endpoint. A geographically separated user might experience latency, packet loss, or intermittent connectivity to resources in the virtual private cloud (VPC) or over the internet.
If you don't require internet traffic to be forwarded over the VPC, then activate split-tunnel on the Client VPN endpoint.
Advanced troubleshooting for Windows
If the preceding methods don't resolve the issue, then have your users complete the following troubleshooting steps. These methods help remote users troubleshoot network connectivity issues between their local device and the Client VPN endpoints.
Find the Client VPN endpoint node IP addresses
- Open Command Prompt (cmd).
- Perform nslookup on your endpoint DNS URL:
nslookup cvpn-endpoint-0102bc4c2eEXAMPLE.clientvpn.us-west-2.amazonaws.com
If this command doesn't give you a resolution, then append a subdomain:
nslookup test.cvpn-endpoint-0102bc4c2eEXAMPLE.clientvpn.us-west-2.amazonaws.com
Use MTR
- Download and install WinMTR from the SourceForge website.
- For Host, enter the destination IP address, and then choose Start.
- Run the test for approximately 1 minute, and then choose Stop.
- Choose Copy text to clipboard, and then paste the output in a text file.
- Search the text file for any losses in the % column that are propagated to the destination.
- Review hops on the MTR reports. Start from the bottom of the report. For example, check for loss on the last hop or destination, and then review the preceding hops.
Note:
- Client VPN doesn't respond to ICMP. However, you can still use MTR to confirm that there's no packet loss on the intermediate ISP links.
- Ignore any hops with the No response from host message. This message indicates that these hops aren't responding to the ICMP probes.
Use tracert
To perform further tests, use the tracert command utility tool. Perform a tracert to the destination URL or IP address. Then, look for any hops that show an sudden spike in round-trip time (RTT). An sudden spike in RTT might indicate that there's a node with a high load. A node with a high load causes latency or packet drops in your traffic.
Example test that uses tracert:
tracert test.cvpn-endpoint-0102bc4c2eEXAMPLE.clientvpn.us-west-2.amazonaws.com
Advanced troubleshooting techniques for macOS and Linux
Find your Client VPN endpoint node IP addresses
-
Open Terminal.
-
Perform dig on your endpoint DNS URL:
dig cvpn-endpoint-0102bc4c2eEXAMPLE.clientvpn.us-west-2.amazonaws.com
If this command doesn't give you a resolution, then append a subdomain:
dig test.cvpn-endpoint-0102bc4c2eEXAMPLE.clientvpn.us-west-2.amazonaws.com
Use MTR
-
Install MTR.
To install MTR on Red Hat-based Linux distributions, run this command:
sudo yum install mtr
To install MTR on Debian-based Linux distributions, run this command:
sudo apt-get mtr
To install MTR on macOS, see macOS with Homebrew on the Homebrew website. Install Homebrew, and then run this command:
brew install mtr
2. Run a TCP-based MTR:
mtr -n -T -P 443 -c 200 <Client VPN endpoint IP> --reportmtr -n -T -P 1194 -c 200 <Client VPN endpoint IP> --report
-or-
Run a UDP-based MTR:
mtr -n -u -P 443 -c 200 <Client VPN endpoint IP> --reportmtr -n -u -P 1194 -c 200 <Client VPN endpoint IP> --report
Note: Run the test based on the port that's configured on your Client VPN endpoint. If you find packet loss in your network, then refer to your vendor documentation for instructions on how to check network devices for analysis. Or, contact your ISP.