Site to Site VPN Issue

Hello, I see you are having issues with your Site-to-Site VPN connection.

With AWS site to site VPN, when the status on your AWS console shows IPSEC up and Tunnel Down, this is an indication that IPSEC has been successfully established between the two peers. However, since this is a dynamic (BGP) VPN, the tunnel will come up only if BGP session is established.

There are a number of issues that can affect BGP session establishment which include but not limited to the following: IKE security associations and the BGP peer IPs to mention some.

To try resolve the issue, verify the BGP[1] configurations such as peer IP, ASN are correct or not. I have referenced documentation to help troubleshoot [2] [3][4] your issue since you have not mentioned a specific one . Be sure to check the Traffic Selectors encryption domain and confirm that is grants the BGP per IPs. Verify that your device has rules allowing BGP traffic, TCP on port 179 inbound and outbound to the AWS tunnel inside IPs. Also have a look at the status of the BGP and logs from your device, which helps analyse any errors on BGP. You can monitor your VPN connection using CloudWatch which will help monitor the state of your tunnel[5]. You may also monitor the connections of your tunnel using AWS Health events, which you can configure to monitor what happens when you try to connect Site-to-Site[6].

References:

[1] https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-dynamic-routing-examples.html

[2] https://aws.amazon.com/premiumsupport/knowledge-center/vpn-cgw-vpg-traffic/

[3] https://aws.amazon.com/premiumsupport/knowledge-center/vpn-tunnel-instability-inactivity/

[4] https://docs.aws.amazon.com/vpn/latest/s2svpn/Troubleshooting.html

[5] https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch-vpn.html

[6] https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-vpn-health-events.html