Impossible to ping from AWS to On-Premise Server with site-to-site AWS vpn

0

I have a AWS VPN Site-to-Site setting, i'm able to ping an EC2 instance in AWS but i'm not able to ping from EC2 instances to on-premise server. I have already check the EC2 sécurity group, the Networl ACL and the the traffic is open on on-premise client firewall. Please can i have any support ?

Lionel
asked 6 days ago54 views
2 Answers
1

In addition to the troubleshooting steps mentioned in the other answer, you can use the VPC Reachability Analyzer to test the path between your EC2 instance and your on-prem network.

How Reachability Analyzer works

Reachability Analyzer analyzes the path between a source and destination by building a model of the network configuration, and then checking for reachability based on the configuration. It does not send packets or analyze the data plane.

To use Reachability Analyzer, you specify the path for the traffic from a source to a destination. For example, you could specify an internet gateway as the source, an EC2 instance as the destination, 22 as the destination port, and TCP as the protocol. This would allow you to verify that you can connect to the EC2 instance through the internet gateway using SSH.

If there are multiple reachable paths between a source and a destination, Reachability Analyzer identifies and displays the shortest path. You can analyze the path again, specifying an intermediate component, to find an alternative reachable path that traverses the intermediate component.

If the path is not reachable, Reachability Analyzer displays information about the component or combination of components that is blocking the path. There might be additional components blocking the path.

profile pictureAWS
Tracy H
answered 5 days ago
profile picture
EXPERT
reviewed 5 days ago
profile picture
EXPERT
reviewed 5 days ago
  • Hello i have already use reachibility analyser curiously with reachibility analyser the traffic is in accepted status in both directions

  • Can you connect from the EC2 to the on-prem server over TCP; for example SSH on TCP22?

    Run tcpdump or wireshark to capture traffic while running the ping. Do this on both the source and the destination servers.

    tcpdump icmp

    If the ping is reaching the destination server you will see the traffic in the tcpdump. If the destination server is responding to the ping, you should see the traffic in the tcpdump. This should help you determine which end of the VPN tunnel is dropping the ICMP traffic.

0

1. VPN Configuration

Phase 1 and Phase 2 Configuration: Ensure that the VPN's Phase 1 and Phase 2 settings on both the AWS and on-premise sides match. If these configurations are mismatched, the tunnel may be up, but traffic won't flow correctly. Tunnel Status: Confirm that both tunnels of the VPN connection are up. Sometimes, only one tunnel might be active, which could affect traffic routing.

2. Routing Configuration

  • AWS Route Tables:

Verify that the VPC route table associated with the subnet where the EC2 instance resides has a route for the on-premises network pointing to the Virtual Private Gateway (VGW).

For example, if your on-premise network is 192.168.1.0/24, there should be a route 192.168.1.0/24 pointing to the VGW.

  • On-Premise Routing:

Ensure that your on-premises router/firewall has a route back to the AWS VPC CIDR block pointing to the VPN gateway.

3. Security Groups and Network ACLs

  • Security Groups:

Make sure the security group associated with the EC2 instance allows inbound ICMP traffic (Echo Request) and outbound ICMP traffic (Echo Reply). Network ACLs: Verify that your Network ACLs allow inbound and outbound ICMP traffic. NACLs should be set to allow all traffic if you're testing connectivity

  1. On-Premises Firewall Configuration Double-check the firewall rules on the on-premise server to ensure they allow ICMP traffic from the AWS VPC IP range. Make sure the firewall on the on-premises side isn’t blocking return traffic (Echo Reply) to the AWS instance.

  2. NAT Instances or Gateways If you're using a NAT instance or gateway, ensure it's properly configured and that traffic destined for the on-premise network isn’t getting translated in a way that the on-premise network doesn't recognize.

  3. IPsec Policies

Ensure that the IPsec policies on the on-premises VPN device match what AWS is expecting. Mismatched policies can sometimes allow the VPN to come up but block specific types of traffic.

  1. VPC Peering (if applicable) If the traffic is being routed through a peered VPC, ensure that VPC Peering allows traffic over the VPN and that the routing is correctly configured in both VPCs.

  2. Logging and Diagnostics

VPN Logs: Check the VPN logs in AWS for any errors or dropped packets. Packet Capture: Perform a packet capture on both the on-premise and AWS sides to see if ICMP requests are reaching the on-premise server and if replies are being sent.

EXPERT
answered 6 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions