- Newest
- Most votes
- Most comments
Hello Olive,
I have a couple of suggestions here:
The objective is to establish communication between specific instances in an AWS subnet and the on-premises server while allowing flexibility to change to another VPC and subnet on our end.
- If you are trying to connect to multiple VPCs, try using Target Gateway as a Transit Gateway (TGW). You will not have to attach and detach since TGW will allow you to reach multiple VPCs.
[+] AWS Transit Gateway and AWS Site-to-Site VPN: https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-transit-gateway-vpn.html
Note: If you modify the VPC-VGW association, there will be some interruption in traffic.
- As you said, the VPN tunnel status indicates that it is "up. You don't need to verify Phase 1 and Phase 2 configuration. However, the below document has all the steps that you can follow to troubleshoot the connectivity issue.
[+] How do I troubleshoot VPN tunnel connectivity to an Amazon VPC? https://repost.aws/knowledge-center/vpn-tunnel-troubleshooting
In addition to the above, you can monitor cloud watch tunnel data IN and OUT to check if there's ESP traffic over the tunnel. Also, try capturing the VPC flow logs to see if traffic is reaching instances.
[+] Monitoring VPN tunnels using Amazon CloudWatch - VPN metrics and dimensions - https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch-vpn.html#metrics-dimensions-vpn
[+] Create a flow log that publishes to CloudWatch Logs: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html#flow-logs-cwl-create-flow-log
Hello.
Has the VPN been successful in Phase 1?
If phase 1 is failing, troubleshoot according to the following document.
https://repost.aws/knowledge-center/vpn-tunnel-phase-1-ike
If phase 2 is failing, troubleshoot according to the following documentation.
https://repost.aws/knowledge-center/vpn-tunnel-phase-2-ipsec
Also, if you check the VPN logs and other logs of the customer gateway, you will probably see an error output that leads to the cause of the connection failure.
Thank you, the tunnel is up. vpn logs show no insight as the log is up and works as it should so I am still stuck
If I add a static route or other route for routing from on-premises to an AWS VPC, can I still communicate? Also, has a route to the VGW been added to the AWS side route table to communicate to the on-premises?
All these have been done, route table points to vgw, static route to the onprem ip address
Relevant content
- Accepted Answerasked a year ago
- asked 2 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Thanks for your response. However, the endpoint for this set up is not to constantly change vpcs, we just want to move it to a different vpc that is better suited for the purpose of this configuration. The configuration for the tunnel that works has been replicated on the vpc I would like to change to the tunnel goes up but instances cannot ping. When I go to the initial vpc, the tunnel will go up and still communicate. Also I created a brand new tunnel and pointed it to a totally different vpc while replicating the setup of the working vpn, the tunnel goes up but still fails to have servers communicate across the tunnel.
Thanks for your response. However, the endpoint for this set up is not to constantly change vpcs, we just want to move it to a different vpc that is better suited for the purpose of this configuration. The configuration for the tunnel that works has been replicated on the vpc I would like to change to the tunnel goes up but instances cannot ping. When I go to the initial vpc, the tunnel will go up and still communicate. Also I created a brand new tunnel and pointed it to a totally different vpc while replicating the setup of the working vpn, the tunnel goes up but still fails to have servers communicate across the tunnel.
Reference: https://repost.aws/knowledge-center/vpn-connection-instability
When I ping out and check the Tunnel data out metric, I can see tunnel data out value but tunnel data in is 0 (also ping requests has the timed out error) .When the instance is pinged, it is unavailable and I see tunnel data in value but tunnel data out is 0. The correct range is configured in phase 2. I really dont know what to make of this behaviour
If you see tunnel data IN, that means traffic initiated from on-premises is reaching the VPN endpoint. How about VPC flow logs? Does that show anything? Do we have the correct VPN static route back to on-premises?