- Newest
- Most votes
- Most comments
In addition to the troubleshooting steps mentioned in the other answer, you can use the VPC Reachability Analyzer to test the path between your EC2 instance and your on-prem network.
How Reachability Analyzer works
Reachability Analyzer analyzes the path between a source and destination by building a model of the network configuration, and then checking for reachability based on the configuration. It does not send packets or analyze the data plane.
To use Reachability Analyzer, you specify the path for the traffic from a source to a destination. For example, you could specify an internet gateway as the source, an EC2 instance as the destination, 22 as the destination port, and TCP as the protocol. This would allow you to verify that you can connect to the EC2 instance through the internet gateway using SSH.
If there are multiple reachable paths between a source and a destination, Reachability Analyzer identifies and displays the shortest path. You can analyze the path again, specifying an intermediate component, to find an alternative reachable path that traverses the intermediate component.
If the path is not reachable, Reachability Analyzer displays information about the component or combination of components that is blocking the path. There might be additional components blocking the path.
1. VPN Configuration
Phase 1 and Phase 2 Configuration: Ensure that the VPN's Phase 1 and Phase 2 settings on both the AWS and on-premise sides match. If these configurations are mismatched, the tunnel may be up, but traffic won't flow correctly. Tunnel Status: Confirm that both tunnels of the VPN connection are up. Sometimes, only one tunnel might be active, which could affect traffic routing.
2. Routing Configuration
- AWS Route Tables:
Verify that the VPC route table associated with the subnet where the EC2 instance resides has a route for the on-premises network pointing to the Virtual Private Gateway (VGW).
For example, if your on-premise network is 192.168.1.0/24, there should be a route 192.168.1.0/24 pointing to the VGW.
- On-Premise Routing:
Ensure that your on-premises router/firewall has a route back to the AWS VPC CIDR block pointing to the VPN gateway.
3. Security Groups and Network ACLs
- Security Groups:
Make sure the security group associated with the EC2 instance allows inbound ICMP traffic (Echo Request) and outbound ICMP traffic (Echo Reply). Network ACLs: Verify that your Network ACLs allow inbound and outbound ICMP traffic. NACLs should be set to allow all traffic if you're testing connectivity
-
On-Premises Firewall Configuration Double-check the firewall rules on the on-premise server to ensure they allow ICMP traffic from the AWS VPC IP range. Make sure the firewall on the on-premises side isn’t blocking return traffic (Echo Reply) to the AWS instance.
-
NAT Instances or Gateways If you're using a NAT instance or gateway, ensure it's properly configured and that traffic destined for the on-premise network isn’t getting translated in a way that the on-premise network doesn't recognize.
-
IPsec Policies
Ensure that the IPsec policies on the on-premises VPN device match what AWS is expecting. Mismatched policies can sometimes allow the VPN to come up but block specific types of traffic.
-
VPC Peering (if applicable) If the traffic is being routed through a peered VPC, ensure that VPC Peering allows traffic over the VPN and that the routing is correctly configured in both VPCs.
-
Logging and Diagnostics
VPN Logs: Check the VPN logs in AWS for any errors or dropped packets. Packet Capture: Perform a packet capture on both the on-premise and AWS sides to see if ICMP requests are reaching the on-premise server and if replies are being sent.
Relevant content
- asked 2 years ago
- asked 10 months ago
- AWS OFFICIALUpdated 24 days ago
- AWS OFFICIALUpdated 16 days ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Hello i have already use reachibility analyser curiously with reachibility analyser the traffic is in accepted status in both directions
Can you connect from the EC2 to the on-prem server over TCP; for example SSH on TCP22?
Run tcpdump or wireshark to capture traffic while running the ping. Do this on both the source and the destination servers.
tcpdump icmp
If the ping is reaching the destination server you will see the traffic in the tcpdump. If the destination server is responding to the ping, you should see the traffic in the tcpdump. This should help you determine which end of the VPN tunnel is dropping the ICMP traffic.