Cannot reach EC2 Instance over client to site VPN

0

I am somewhat new to AWS admin, but have built several EC2 Instances for customers with both site to site VPNs as well as client to site, using OpenVPN for the latter.

I am successfully connected to the VPN, but cannot ping or RDP to my instance's internal IP address.

I have created firewall rules in Windows allowing ICMPv4 in/out, and even disable the Windows Defender Firewall.

I have applied a security group on the instance allowing all traffic from the subnet range of my VPN (10.0.0.0/16) as source , my VPN client has an IP of 10.0.1.34 currently while connected.

On the Route Table under VPC, i have the local route showing 172.31.0.0/16 (server's IP is 172.31.14.231) as a destination, as well as 0.0.0.0/16 as a destination. Both are showing as propagated as No. ( i have no site to site for this customer), not sure if the propagation is an issue here?

Subnet association under route tables has all the subnets listed, including the 172.31.16.0/20 which i checked does include my server's IP of 172.31.14.231

Under VPN > Client VPN Endpoint>Associations, i have the network ID associated status with the network ID of the subnet 172.31.16.0/20, security group is the allow all traffic to VPC that i listed above. Authorization tab has access all is true, destination CIDR is 172.31.0.0/16 and state is Active. Route table tab has Destination CIDR of 172.31.0.0/16, target subnet is the one that includes my server ( 172.31.0.0/20) .Connections shows the status of active with IP of 10.0.1.34

I am running a continuous ping from the server to my VPN client IP of 10.0.1.34, as well as a ping from my workstation connected via VPN, both timing out. RDP cannot find the server.

I know this is a lot of information, but i really could use some help here. I would think it is a routing or firewall issue, but cannot seem to find the issue.

Thank you in advance.

asked 2 years ago1436 views
2 Answers
0

Have you considered using the VPC Reachability Analyzer?

profile pictureAWS
EXPERT
kentrad
answered 2 years ago
  • I looked, but none of the source/destination selections appeared to be anything with the VPN client from a user.

0

Hello, There are a lot of tests that can be done here. Also propagation should not be an issue here. The best approach would be to track the flow of the traffic from On-Premise to the AWS environment you are trying to reach. Once the flow is established and the path is mentioned, do the hop by hop tests and check where the traffic is getting dropped. Considering, VPC/CVPN endpoint routing is correct and the rules for SG/NACL are correctly added on the EC2 and CVPN endpoint, You also need to add the routing on your ON-Premise end and verify.

If possible, ping the gateway and see if the packet is reaching the Gateway. Also collect bi-directional Trace-route/MTR (tcp-based) and check which hop the traffic is being blocked.

Based on the above assumptions, I strongly feel there could be IP-table rules that would be blocking the traffic or any intermediate device. Let us do the hop by hop analysis and see if the hop can be isolated.

Else, the best bet would be to reach out to the AWS Premium Support, since they will have access to the internal tooling and can help additionally by checking the Instance and endpoint level details.

profile pictureAWS
SUPPORT ENGINEER
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions