Why I can't ping or RDP into my Windows or Linux instance when using an AWS Site-to-Site VPN?

3 minute read
0

I can't access my Amazon Elastic Compute Cloud (Amazon EC2) instances when using an AWS Site-to-Site VPN connection.

Resolution

If you have a Site-to-Site VPN connection, but can't ping into either a Windows or Linux EC2 instance by using SSH, then follow these troubleshooting steps:

  • Make sure that your instance is running by checking the instance status.

  • Use the AWS VPN console to check your Site-to-Site VPN connection status. Confirm that the status of the tunnel is UP. If your connection is DOWN, then review the troubleshooting steps for phase 1 and phase 2 failures to resolve the connection downtime.

  • For Windows instances, verify that RDP port 3389 is allowed by your AWS security group, network ACL, OS firewall and antivirus software. For Linux instances, confirm the same for SSH port 22. To activate inbound SSH, RDP, or ICMP access, see Control traffic to resources using security groups and Control traffic to subnets using Network ACLs.

  • Verify that the route tables that are specified in your instances are correct. Make sure that you have a return route for the destination CIDR or on-premises network. Confirm that this return route points to either a transit gateway (TGW) or virtual private gateway (VGW). Confirm that this TGW or VGW is attached to your Site-to-Site VPN.

  • If your customer gateway device implements a policy-based VPN, then make sure that the device negotiates a single Security Association (SA). AWS limits the number of security associations to a single pair. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

  • You might be using an Active/Active configuration. This means that both of your tunnels are up, and your Site-to-Site VPN terminates on a VGW or TGW with ECMP turned off. In this use case, AWS assigns one active tunnel as the preferred VPN tunnel for sending traffic from AWS to the on-premises network. When you use Active/Active configurations, the customer gateway must have asymmetric routing activated on the virtual tunnel interfaces. For more information, see How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?

  • Confirm that there are no firewalls on the OS level that are blocking inbound or outbound traffic. For Windows instances, open a command prompt, and then run the WF.msc command. For Linux instances, from the terminal, run the iptables command with the appropriate arguments.

  • If you're using dynamic based VPN, then make sure that you're announcing the correct on-premises prefixes to AWS.

  • If you're using a static VPN, then make sure that you've configured the correct static route for your Site-to-Site VPN. Log in to the AWS VPN console, and then under static routes, check the target network of your Site-to-Site VPN.

  • If you're using a static VPN, then check your customer gateway device. Make sure that you've configured a static route pointing to the destination AWS Virtual Private Cloud (AWS VPC) CIDR on the device.

  • If you're using an accelerated VPN, then check that NAT is turned on, and that traffic is using UDP 4500. This is required for traffic to flow. If NAT isn't turned on, the tunnel comes up but no traffic passes.

    Note: Be aware of the rules for using an accelerated VPN connection.

Related Information

How do I troubleshoot Remote Desktop Connection issues to my Amazon EC2 Windows instance?

AWS OFFICIAL
AWS OFFICIALUpdated a year ago