How can I troubleshoot issues with my accelerated Site-to-Site VPN connection?

Resolution

Note: Site-to-Site VPN supports acceleration for only connections that you attach to a transit gateway. Virtual private gateways and AWS Direct Connect public virtual interfaces don't support accelerated VPN connections.

Check firewall configuration requirements

Confirm that your firewall configuration meets all requirements. For more information, see Firewall rules for an AWS Site-to-Site VPN customer gateway device.

Verify NAT-traversal activation on the customer gateway device

Accelerated Site-to-Site VPN connections require NAT-traversal. On customer gateway devices, NAT-traversal is activated by default. If you downloaded a configuration file from the Amazon Virtual Private Cloud (Amazon VPC) console, then check the NAT-traversal setting on your customer gateway device. If NAT-traversal isn't active, then activate it.

Note: When you deactivate NAT-traversal on the customer gateway device, the tunnel establishes a connection. However, encapsulating security payload traffic drops, and data doesn't pass through the tunnel. For more information, see AWS Site-to-Site VPN customer gateway devices.

Confirm that the lifetime parameters match

For accelerated Site-to-Site VPN connections, the customer gateway device must initiate and rekey the Site-to-Site VPN connection. AWS doesn't initiate connections to accelerated Site-to-Site VPN endpoints.

To prevent tunnel disruptions during a rekey, check that your Internet Key Exchange (IKE) tunnel's lifetime parameter must match your Site-to-Site VPN settings. By default, the IKE tunnel settings for your Site-to-Site VPN are:

• 28,800 seconds (8 hours) for phase 1
• 3,600 seconds (1 hour) for phase 2

If the parameters don't match, then change your change the Site-to-Site VPN parameters to match your IKE tunnel parameters.

Confirm the connection's compatibility with Global Accelerator

AWS Global Accelerator supports limited packet fragmentation. If your Site-to-Site VPN connection uses certificate-based authentication, then it might not be compatible with Global Accelerator.

On your customer gateway device, set your maximum transmission unit (MTU) value to 1399 bytes or lower and configure TCP maximum segment size (MSS) clamping. For more information, see Best practices for an AWS Site-to-Site VPN customer gateway device.

If your accelerated Site-to-Site VPN connection must use certificate-based authentication, then your customer gateway device must support IKE fragmentation. Review your customer gateway device's documentation to confirm whether it supports IKE fragmentation. If the documentation isn't clear, then contact your customer gateway device vendor. If your customer gateway device doesn't support IKE fragmentation, then don't activate acceleration for your Site-to-Site VPN connection. For more information, see How AWS Global Accelerator works.

Confirm that you use the correct Global Accelerator endpoint

Global Accelerator routes traffic over the AWS global network infrastructure, and provides static IP addresses that the AWS edge network anycasts as fixed entry points. When you connect to a sub-optimal endpoint, your latency and round-trip times increase. For more information, see AWS Global Accelerator components.

To check your Global Accelerator endpoint, view your Global Accelerator diagnostics from the public IP address that your Site-to-Site VPN connection uses. Review your Location. A geographically close Location is more optimal than a distant one. If your endpoint isn't optimal, then update your endpoint group to use a higher traffic dial percentage, and verify that you correctly configured health checks.

Confirm path details towards the Global Accelerator endpoint

If your internet service provider (ISP) routes traffic through a sub-optimal path to reach your Global Accelerator endpoints, then you experience latency. Use the traceroute command to validate the path and latency to your endpoint.

For Windows:

tracert Example_VPN_Global_Accelerator_endpoint_IP_address

For Linux:

traceroute Example_VPN_Global_Accelerator_endpoint_IP_address

Note: Replace Example_VPN_Global_Accelerator_endpoint_IP_address with the IP address for your Site-to-Site VPN connection's Global Accelerator endpoint.

Review the output for unexpected routing or high latency hops that indicate path issues.

Confirm that you correctly configured acceleration

You can't activate or deactivate acceleration for an existing Site-to-Site VPN connection. To activate acceleration, complete the following steps:

1. Create a new Site-to-Site VPN connection that's configured to match your requirements. When you do, select Enable acceleration.
2. Configure your customer gateway device to use the new Site-to-Site VPN connection.
3. Delete the previous Site-to-Site VPN connection.

Related information

Accelerated AWS Site-to-Site VPN connections