Why can't I connect to my VPC when using an AWS Site-to-Site VPN connection that terminates on a virtual private gateway?

Resolution

• Using the AWS Management Console, check that the Site-to-Site VPN connection's tunnel status is UP. If the connection is DOWN, then follow the troubleshooting steps for resolving connection downtime for phase 1 failures and phase 2 failures.

• Verify that the encryption domain that's configured on the customer gateway device is broad enough to cover the local (on-premises) and remote (AWS) network CIDRs. Site-to-Site VPN is a route-based virtual private network (VPN) solution, so by default the local and remote network CIDRs are set to any/any (0.0.0.0/0). AWS limits the number of security associations (SAs) to a single pair for both inbound and outbound security associations. So, if multiple networks are defined to communicate through the tunnel, then multiple security associations are negotiated. This setup can cause a network connectivity failure.

• For an active/active setup (where both tunnels are UP), make sure that asymmetric routing is supported and activated on the customer gateway device. If you haven't turned on asymmetric routing, then AWS randomly selects the egress tunnel (AWS to customer gateway traffic). For dynamic VPN, use AS PATH prepending or MED BGP attributes to use a single tunnel for return traffic from the VPC to the customer gateway device.

• For a static VPN, make sure that the remote on-premises network routes are defined on the VPN connection. Also, make sure that you've created a corresponding reverse route for the VPC CIDRs on the customer gateway device. This reverse route is used to route traffic through the virtual tunnel interface (VTI).

• For dynamic VPN, make sure that the customer gateway device is advertising the local routes to the AWS peers. Also check that the customer gateway device is receiving the VPC network CIDRs.

• Verify the routing on the VPC route tables. It's a best practice to turn on VGW route propagation to automatically propagate the VPN routes to the VPC route tables. Or if route propagation is turned off, you can add a static route for the on-premises network to route through the VGW.

• Verify that traffic is allowed on both the subnet network ACL and target resource security group. For more information, see Control traffic to resources using security groups and Controlling traffic to subnets using Network ACLs.

• Confirm that traffic is allowed (inbound and outbound) on the target host or instance firewall. On Windows OS, check that the Windows firewall allows traffic. For Linux systems, verify that IP tables, firewalls, and other similar host firewalls have allowed the corresponding traffic.

• Check if the application that's running on the target server is listening on the expected port and protocol (TCP/UDP). Run the following commands:

  Windows CMD:

  > netstat -a

  Linux terminal:

  $ sudo netstat -plantu

Related information

How to determine which program uses or blocks specific Transmission Control Protocol ports in Windows Server 2003 in Windows documentation