How do I troubleshoot VPN tunnel connectivity to an Amazon VPC?

5 minute read
0

My AWS Site-to-Site Virtual Private Network (VPN) can't establish or maintain a connection to my Amazon Virtual Private Cloud (Amazon VPC). I want to troubleshoot this issue.

Short description

The Amazon VPC network model supports open standard, encrypted Internet Protocol security (IPsec) VPN connections to AWS infrastructure. To establish a VPN tunnel connection to an Amazon VPC, you must verify or modify these configurations:

  • VPN tunnel Internet Key Exchange (IKE) configuration
  • VPN tunnel IPsec configuration
  • Network access control list (network ACL) configuration
  • Amazon VPC security group rules configuration
  • Amazon Elastic Compute Cloud (Amazon EC2) instance network routing table configuration
  • Amazon EC2 instance firewall configuration
  • VPN gateway configurations for virtual private gateway and transit gateway

Resolution

To troubleshoot a Site-to-Site VPN that can't establish or maintain a connection to an Amazon VPC, complete the following:

Verify that AWS VPN can establish a Site-to-Site VPN tunnel

Troubleshoot common routing issues

If both VPN tunnels can establish a connection, then complete the following steps:

  1. Open the Amazon EC2 console, then view the network ACLs in your Amazon VPC.
    Note: Custom network ACLs might affect the attached VPN's network connectivity. For more information, see Work with network ACLs.
  2. Activate inbound connectivity on the necessary ports. For more information, see Configure security group rules.
  3. Verify that the route tables in your Amazon EC2 instances are correct. For more information, see Change a subnet route table.
  4. If you use an Active/Active configuration, then make sure that Asymmetric routing is active on your virtual tunnel interfaces. For more information, see How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?
  5. Make sure that no firewalls block traffic to the Amazon EC2 instance inside of the VPC:
    Windows
    Open a command prompt, and then run the WF.msc command. For more information, see Open Windows Firewall with Advanced Security on the Microsoft Learn website.
    Linux
    Open the terminal, and then run the iptables command. For more information, see Sysadmin tools: How to use iptables on the Red Hat website.
  6. If you use a policy-based VPN, then set up the source address from your internal network as 0.0.0.0/0. Then, set the destination address as the VPC subnet. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

Make sure that traffic from your network reaches your EC2 instance

To verify that traffic from your network reaches your instance, complete the following steps based on your use case:

Linux

  1. Open a terminal session.
  2. Verify that Internet Control Message Protocol (ICMP) has connectivity. Replace example_IP with your server's IP address:
    ping example_IP
    Note: Add the ICMP rule in security groups and network ACLs. For more information, see Rules for ping/ICMP.
  3. Run the traceroute utility from your internal network to an Amazon EC2 instance in the VPC that connects to the VPN. For more information, see How to use Tracert/Traceroute on the Network for Learning website.

Windows

  1. Open the command prompt.
  2. Run the ping utility to verify that ICMP has connectivity.
    Note: Add the ICMP rule in SGs and network ACLs.
  3. Run the tracert utility from your internal network to an Amazon EC2 instance in the VPC that connects to the VPN.

If the output for traceroute or tracert stops at an IP address associated with your internal network, then verify that the routing path is correct.

Troubleshoot issues with the customer gateway device

If traffic from your internal network reaches the customer gateway device but doesn't reach the instance, then complete the following steps:

  1. Verify that the VPN configuration, policies, and network address translation settings on the customer gateway device for your VPN are correct.
  2. Make sure that upstream devices allow traffic.

Note: To verify configurations and other settings on the customer gateway device, check the vendor documentation for your specific device.

Troubleshoot issues with the Border Gateway Protocol (BGP)

If the IPsec session's status is UP but the tunnel is down, then the BGP session isn't established. To troubleshoot BGP issues, complete the following steps:

  1. Verify that the peering IP addresses for BGP and Autonomous System Number (ASN) are configured correctly and match both AWS and on-premises devices.
    Note: The ASN is the number that you used when you created the customer gateway. The ASN associated with your customer gateway device is included with the downloadable VPN configuration properties. For more information, see How AWS Site-to-Site VPN works.
  2. If you use dynamic routing, then set the encryption domain to 0.0.0.0/0 for local and remote networks for both AWS and on-premises devices.
  3. On the customer gateway device, make sure that TCP 179 and ephemeral ports allow traffic. For more information about troubleshooting gateway connectivity, see Troubleshooting your customer gateway device.
  4. Ping the AWS BGP peer IP address in the 169.254.x.x range from the peer address of the on-premises BGP.
  5. Review the BGP logs from the customer gateway device for error messages that correspond with your use case.

Related information

What is AWS Site-to-Site VPN?

Site-to-Site VPN single and multiple VPN connection examples

How do I troubleshoot BGP connection issues over VPN?

AWS OFFICIAL
AWS OFFICIALUpdated 21 days ago