How do I troubleshoot Direct Connect and VPN failover issues?

6 minute read

I want to troubleshoot my AWS Direct Connect and VPN failover issues.

Resolution

Troubleshoot your AWS Direct Connect and VPN failover issues based on which VPN you're using:

Virtual gateway-based VPN
AWS Transit Gateway-based VPN

Virtual gateway-based VPN

Traffic from AWS to on-premises prefers Direct Connect over dynamic or static VPN connections. Your traffic can fail to switch for the following reasons:

BGP-based VPN

The customer gateway isn't advertising the on-premises prefix from the BGP session on the VPN tunnel.
The customer gateway is filtering the prefix advertised over the VPN BGP session.
The firewall policy doesn't allow inbound or outbound traffic between AWS and on-premises.
For VPN connections with both tunnels up (Active/Active), check if the customer gateway supports asymmetric routing. AWS randomly chooses the egress tunnel if you're advertising the same prefixes. For more information, see How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?
A static route for the AWS network points to the Direct Connect peer gateway instead of relying on BGP routes.

Static VPN

The VPN connection doesn't have a static route for the on-premises network added under the VPN connection route.
The customer gateway doesn't have a static route for the AWS CIDR that points to the tunnel interface. If there is a static route for the AWS network, then make sure that it points to the correct tunnel interface. If you're using a policy-based VPN, then make sure that the policy matches the AWS and on-premises networks.
The firewall policy doesn't allow inbound or outbound traffic between AWS and on-premises.
For VPN connections with both tunnels up (Active/Active), check if the customer gateway supports asymmetric routing. AWS randomly chooses the egress tunnel if you're advertising the same prefixes. For more information, see How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?

Virtual private gateway

For a VPN as a backup of Direct Connect that terminates on a virtual private gateway, make sure of the following:

For dynamic-based VPNs, advertise the same prefix over the VPN and Direct Connect. AWS prefers Direct Connect. For the on-premises device, make sure that Direct Connect is preferred as the egress path towards AWS.
For static VPNs, use the same static route for the on-premises network as the route advertised by the customer gateway over the Direct Connect. Virtual private gateways prefer Direct Connect as the egress path to on-premises. Make sure that you have a less specific route for the Amazon Virtual Private Cloud (Amazon VPC) CIDR. Static routes on customer gateways have lower metrics than BGP routes.

Note: For virtual private gateway-based VPNs, send a MED value of 100 and 200. If there is no import filter applied on the routes received, then the customer gateway prefers Direct Connect due to its MED value of 0.

Transit Gateway-based VPN

Direct Connect associated with Transit Gateway utilizes the Direct Connect gateway and allows a maximum of 200 prefixes. For dynamic VPNs, the Transit Gateway advertises routes based on the Transit Gateway route table associated with the VPN connection. Also, the customer gateway receives specific prefixes over the VPN connection and prefers to route AWS prefixes from the VPN tunnel.

Your traffic can fail to switch over for the following reasons:

BGP-based VPN

The customer gateway isn't advertising the on-premises prefix from the BGP session on the VPN tunnel.
The customer gateway is filtering the prefix advertised over the VPN BGP session.
The Transit Gateway route table associated with the traffic source.
The firewall policy doesn't allow inbound or outbound traffic between AWS and on-premises.
For VPN connections with both tunnels up (Active/Active), check if the customer gateway supports asymmetric routing. AWS randomly chooses the egress tunnel if you're advertising the same prefixes. For more information, see How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?
A static route for the AWS network points to the Direct Connect peer instead of relying on BGP routes.

Static VPN

The VPN connection doesn't have a static route for the on-premises network added under the Transit Gateway route table pointing to the VPN connection attachment.
The customer gateway doesn't have a static route for the AWS CIDR that points to the tunnel interface. If there is a static route for the AWS network, then make sure it points to the correct tunnel interface. If you're using a policy-based VPN, then make sure the policy matches the AWS and on-premises networks.
The firewall policy doesn't allow inbound or outbound traffic between AWS and on-premises.
For accelerated VPNs, make sure that NAT-T is turned on. For more information, see How can I troubleshoot issues with Accelerated VPN?
For VPN connections with both tunnels up (Active/Active), check if the customer gateway supports asymmetric routing. AWS randomly chooses the egress tunnel if you're advertising the same prefixes. For more information, see How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?

Transit Gateway

For a VPN as a backup of Direct Connect that terminates on a Transit Gateway, make sure of the following:

For dynamic-based VPNs, advertise the same prefix over the VPN and Direct Connect. AWS prefers Direct Connect. For the on-premises device, filter the specific route learned over the VPN connection. Make sure that traffic egressing the customer gateway prefers Direct Connect over the VPN connection.
For static VPNs on the AWS side, add less specific static routes for the on-premises network on the Transit Gateway pointing to the VPN attachment. Static routes are preferred over propagated routes from Direct Connect (egress traffic toward the customer gateway prefers the VPN). On the on-premises side, make sure you have a less specific route for the Amazon VPC CIDR. Static routes have lower metrics than BGP routes.

Note: For Transit Gateway-based VPN connections, send a MED value of 100 on both VPN tunnels. If there is no import filter applied on the routes received, then the customer gateway prefers Direct Connect due to its MED value of 0.

Related information

How can I resolve asymmetric routing issues when I create a VPN as a backup to Direct Connect in a transit gateway?

How do I configure Direct Connect and VPN failover with Transit Gateway?

I have a primary connection Direct Connect gateway with a backup VPN connection. Why is traffic prioritizing the backup connection?

Topics

Networking & Content Delivery

Relevant content

VPN over Direct Connect with Direct Connect Gateway
Accepted Answer
AWS-User-5823424
asked 3 years ago
Direct Connect + VPN + TGW with DX/VPN failover
Accepted Answer
AWS-User-7705521
asked 4 years ago
AWS Client VPN over Direct Connect
goyalaws
asked 7 months ago
How can we shorten failover time DX and VPN?
Accepted Answer
AWS-User-2083201
asked 4 years ago
AWS Site-to-site VPN Static routing and Virtual Private Gateway failover
Accepted Answer
Jonathan
asked a year ago
How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
AWS OFFICIALUpdated a year ago
How do I troubleshoot BGP connection issues over VPN?
AWS OFFICIALUpdated a year ago
How do I configure Direct Connect and a VPN failover with Transit Gateway?
AWS OFFICIALUpdated 10 months ago
How do I configure Direct Connect and VPN failover with Transit Gateway?
AWS OFFICIALUpdated a year ago
How to troubleshooting connectivity issues between AWS VPC and On-premises via Transit Gateway based AWS Site to Site VPN.
EXPERT
Narinder Singh Kharbanda
published 9 months ago