Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I use the Site-to-Site VPN logs to check why my tunnel went down?

4 minute read

My AWS Site-to-Site VPN tunnel is down, and I can't access my resources from my on-premises network. I want to use the Site-to-Site VPN logs to check why my tunnel went down.

Resolution

Use tunnel activity logs to monitor Site-to-Site VPN tunnels. When you activate tunnel activity logs, you can use Amazon CloudWatch Logs to collect information about tunnel outages and other tunnel issues.

Make sure that you attach the required permissions to the AWS Identity and Access Management (IAM) role for your Site-to-Site VPN.

Note: The VPN tunnel logs are available only after you activate the VPN logging. If the VPN tunnel flapped before you activated logging, then you can't see logs for the time of the flap.

Collect timestamps that correspond with the outage

Complete the following steps:

Open the CloudWatch console.
Under Metrics, select All metrics.
Choose VPN metrics.
Choose VPN Tunnel Metrics.
Select the IP address of the tunnel that experienced the outage.
Select the TunnelState metric.
Under Graphed metrics, select the following options:
For Statistic, select Minimum.
For Period, select Minute.
Note the timestamp of the outage.

Review the tunnel activity logs

Complete the following steps:

Open the CloudWatch console.
In the navigation pane, choose Log groups.
Select the log group that's associated with your Site-to-Site VPN.
Select the log stream for the time period when the Site-to-Site VPN tunnel went down.
Review the logs for errors and warnings to identify issues. For more information, see Site-to-Site VPN log contents.

The following examples are common errors that you might find in your tunnel activity logs.

DPD timeout

If the logs show the Peer is not responsive - Declaring peer dead event, then you experienced a dead peer detection (DPD) timeout. By default, Site-to-Site VPN sends a DPD R_U_THERE message to the customer gateway. After three successive messages without response, Site-to-Site VPN considers the peer dead and closes the tunnel. To help resolve the issue, you must also gather the debug logs from the customer gateway. For information about the causes of DPD timeout, see How do I troubleshoot AWS VPN tunnel inactivity or tunnel down on my customer gateway device?

Customer gateway deletion

If the logs show the AWS tunnel received DELETE event, then the customer gateway sent the Site-to-Site VPN a message to delete the tunnel. Use the customer gateway logs to identify why the customer gateway sent the delete message.

Tunnel establishment issues

If your tunnel doesn't establish when you set it up, then review the tunnel activity logs to identify the issue.

Example logs:

{ 
"event_timestamp": 1723999332,
 "details": "AWS tunnel is evaluating proposals received from CGW", 
"dpd_enabled": true, 
"nat_t_detected": false, 
"ike_phase1_state": "down", 
"ike_phase2_state": "down" 
}
 
{ 
"event_timestamp":1723999332, 
"details":"AWS tunnel is processing proposals to find a matching configuration", 
"dpd_enabled":true, 
"nat_t_detected":false, 
"ike_phase1_state":"down", 
"ike_phase2_state":"down" 
}
 
{ 
"event_timestamp": 1723999332, 
"details": "No Proposal Match Found by AWS", 
"dpd_enabled": true, 
"nat_t_detected": false, 
"ike_phase1_state": "down", 
"ike_phase2_state": "down" 
}

In the preceding example, the details field shows that the algorithms on the AWS tunnel and the customer gateway (CGW) don't match. To resolve this issue, make sure that the customer gateway is presenting an algorithm suite that the tunnel supports. For a list of supported algorithms, see Tunnel options for your AWS Site-to-Site VPN connection.

Check Your Site-to-Site VPN configuration, network settings, and firewall rules

If you still can't determine the issue, then verify that your Site-to-Site VPN configuration, network settings, or firewall rules aren't causing the tunnel outage. You might need to work with your IT team, network administrator, or internet service provider (ISP) to troubleshoot the issue.

Related information

Monitor AWS Site-to-Site VPN tunnels using Amazon CloudWatch

How do I use the AWSSupport-TroubleshootVPN runbook to resolve AWS Site-to-Site VPN issues?

Setting up of AWS Site-to-Site VPN automated monitoring solution

Topics

Networking & Content Delivery

Relevant content

Our VPN tunnels changed to down on the 28th of Jan with no changes from our side
Accepted Answer
fidsamurai
asked 3 years ago
Site to Site VPN tunnel connectivity question
Accepted Answer
TJ
asked 2 years ago
AWS Site to Site VPN tunnels are down.
Accepted Answer
IC
asked 2 years ago
No logs when Site-to-Site VPN connection Tunnel logs enabled
rePost-User-2148365
asked 2 years ago
general query on vpn tunnel activity log
dlakes
asked 2 years ago
How do I monitor AWS VPN tunnels using Amazon CloudWatch alarms?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot Site-to-Site VPN tunnel inactivity, tunnel flapping, or tunnel down on my customer gateway device?
AWS OFFICIALUpdated 6 months ago
How do I troubleshoot IKEv2 tunnel stability issues during a rekey?
AWS OFFICIALUpdated 3 years ago
How do I check the current status of my VPN tunnel?
AWS OFFICIALUpdated 9 months ago
Efficiently way to use a dynamic BGP to create a VPN tunnel between AWS and Oracle Cloud Infrastructure
EXPERT
Vinay Gugueoth
published 2 years ago