How do I troubleshoot intermittent connectivity issues with Amazon VPC when I'm using Site-to-Site VPN?

Resolution

The following reasons can cause intermittent connectivity with Amazon VPC on Site-to-Site VPN connections:

• Your Amazon VPC and on-premises network have overlapping IP address ranges.
• Configuration or compatibility issues with VPN software and devices don't allow Site-to-Site VPN tunnels to establish a connection.
• There's a traffic routing issue.
• A customer gateway doesn't use a policy-based VPN to connect to a policy-based VPN endpoint.
• There's packet loss over the connection.

Overlapping IP address ranges

Make sure that your Amazon VPC and your on-premises network have separate IP address ranges.

Configuration or compatibility issues that prevent connections

Verify that Internet Key Exchange (IKE)/Phase 1 and Internet Protocol Security (IPsec)/Phase 2 can establish a connection. Then, verify that the customer gateway device allows the tunnels to establish connections.

Check for the following common errors on the customer gateway device:

• A Phase 1 or Phase 2 mismatch on the VPN tunnel causes a rekey issue.
• The Phase 1 and Phase 2 lifetime fields on the customer gateway don't match the AWS parameters.
  Note: The IKEv2 lifetime value field is independent of peers.
• The encryption domain or traffic selector doesn't include both the source and destination networks.
• A Site-to-Site VPN that's configured for static routing experiences asymmetric routing.

Make sure that the customer gateway device has one VPN connection. Then, verify that the VPN connection has redundancy with a second customer gateway device. For more information, see Site-to-Site VPN single and multiple VPN connection examples.

Traffic routing issues

For instructions on how to troubleshoot traffic routing issues, see How do I troubleshoot issues with traffic routing over Site-to-Site VPN?

Customer gateways that don't use policy-based Site-to-Site VPN endpoints

If your customer gateway device connects to a policy-based Site-to-Site VPN endpoint, then the device must use a policy-based Site-to-Site VPN connection. Limit the customer gateway device's configuration to one set of inbound and outbound security associations (SAs). For more information, see Static and dynamic configuration files for an AWS Site-to-Site VPN customer gateway device.

Note: For policy and route-based Site-to-Site VPN connections, AWS allows one set of inbound and outbound Phase 2 SAs for each Phase 1 SA.

Packet loss

For instructions on how to troubleshoot packet loss, see How do I troubleshoot packet loss on my AWS VPN connection?