ping reply lost for openvpn

Question

Hi, We have an OpenVPN connection to office and I can ping  the office network without issue:
ping 192.168.10.73

Pinging 192.168.10.73 with 32 bytes of data:
Reply from 192.168.10.73: bytes=32 time=19ms TTL=127
Reply from 192.168.10.73: bytes=32 time=20ms TTL=127

And we also  established IPsec site to site VPN between office and AWS VPC, and I can ping from office to EC2 instance as well.
ping 172.31.240.251

Pinging 172.31.240.251 with 32 bytes of data:
Reply from 172.31.240.251: bytes=32 time=25ms TTL=253
Reply from 172.31.240.251: bytes=32 time=24ms TTL=253

However I can not ping  EC2 instance from OpenVPN connection.
ping 172.31.240.251

Pinging 172.31.240.251 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.31.240.251:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

but EC2 instance did get the ping and replied:
sudo /usr/sbin/tcpdump -ni eth1 -c '1000' -U  '((host 172.31.240.251) and (icmp))'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:24:45.290064 IP 192.168.2.3 > 172.31.240.251: ICMP echo request, id 1, seq 380, length 72
14:24:45.290101 IP 172.31.240.251 > 192.168.2.3: ICMP echo reply, id 1, seq 380, length 72
14:24:53.072104 IP 192.168.2.3 > 172.31.240.251: ICMP echo request, id 1, seq 381, length 40
14:24:53.072138 IP 172.31.240.251 > 192.168.2.3: ICMP echo reply, id 1, seq 381, length 40
14:24:57.796376 IP 192.168.2.3 > 172.31.240.251: ICMP echo request, id 1, seq 382, length 40
14:24:57.796407 IP 172.31.240.251 > 192.168.2.3: ICMP echo reply, id 1, seq 382, length 40
14:25:02.793453 IP 192.168.2.3 > 172.31.240.251: ICMP echo request, id 1, seq 383, length 40
14:25:02.793494 IP 172.31.240.251 > 192.168.2.3: ICMP echo reply, id 1, seq 383, length 40
14:25:07.793370 IP 192.168.2.3 > 172.31.240.251: ICMP echo request, id 1, seq 384, length 40
14:25:07.793404 IP 172.31.240.251 > 192.168.2.3: ICMP echo reply, id 1, seq 384, length 40

I had a entry in our VPC route table for 192.168.2.0/24 to  Virtual private gateways(vgw-xxxxx).
But the ping reply did not come back.

Reachability Analyzer told me from ec2 instance to 192.168.2.3 is Reachable via Virtual private gateways(vgw-xxxxx)
Do I miss anything? Thank you for your help.

Garre Sandeep · Answer

Hi Robbert

check these steps to resolve the issue Hope it helps:

No ping from OpenVPN client to EC2 instance despite replies from EC2. Issue likely routing related.

* Check OpenVPN config for routes and route pushing.
* Verify VPC route table for route to client subnet (192.168.2.0/24) via vgw-xxxxx.
* Ensure security groups allow ICMP traffic from client subnet.
* Use traceroute and check OpenVPN server logs for routing errors.

https://docs.aws.amazon.com/vpc/latest/userguide/RouteTables.html

* Temporarily disable the IPsec tunnel to isolate if it's causing any conflicts with routing.
* Try pinging another resource within the VPC from the OpenVPN client to see if the issue is specific to the EC2 instance.

For more follow the links

OpenVPN client configuration and routing: "https://openvpn.net/community-resources/setting-up-routing/"
 pushing routes "https://forums.openvpn.net/viewtopic.php?t=9055"
VPC route tables: "https://docs.aws.amazon.com/vpc/latest/userguide/RouteTables.html"

Security groups and ICMP traffic:

"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html"
Traceroute: "https://en.wikipedia.org/wiki/Traceroute"
OpenVPN server logs: "https://askubuntu.com/questions/276664/where-are-the-openvpn-connection-logs-and-configuration-files"

ping reply lost for openvpn

Add your answer

Relevant content