Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

IP Sec site to site Tunnel instability

0

Greetings guys, I have created IPsec site to site tunnel between my VPC and on-premise, first tunnel is UP the second is DOWN.I have two IP blocks on-premise I can reach/ping one block from EC2 instance but I can not reach the second one they keeps swing if the second is reachable the first one is not reachable. I need both subnets to be reachable . Kindly assist guys

Topics
ComputeNetworking & Content Deliveryre:Post Discussion
Tags
Amazon EC2AWS re:PostVPC Flow LogsComputeNetworking & Content Delivery
Language
English
asked a year ago708 views
1 Answer
2
Accepted Answer

I'd suggest you first check that on the on-premises firewall, you only have one CIDR (IP block) configured for both sides of the tunnel.

What you're describing typically happens when the on-premises gateway is configured as a "policy-based" VPN, while the AWS side is a "route-based" one. Normally, the AWS side would be configured with 0.0.0.0/0 in the traffic selector on both sides, and BGP would be used to control which networks are advertised from each side. This would only require one Security Association (SA) in each direction, regardless of how many routes are active. On-premises VPNs, on the other hand, are typically policy-based VPNs with multiple SAs established for the multiple combinations of CIDRs on each side.

When these mismatching configurations are connected, the tunnel will initially appear to work, but since the AWS side expects only one SA to be active in each direction, as soon as the on-premises side decides to establish a new SA for a different CIDR (or technically, an IP address range), the existing SA will be torn down.

This is mentioned in this document article: https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cgw.html#CGRequirements

You are limited to one unique security association (SA) pair per tunnel (one inbound and one outbound), and therefore two unique SA pairs in total for two tunnels (four SAs). Some devices use a policy-based VPN and create as many SAs as ACL entries. Therefore, you might need to consolidate your rules and then filter so that you don't permit unwanted traffic.

If this isn't the problem, you could activate CloudWatch logging for the VPN and see if a DPD (dead peer detection) or liveness check (for IKEv2) timeout or similar clear issue is logged: https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html

EXPERT
answered a year ago
AWS
EXPERT
reviewed 8 months ago
  • rePost-User-3771419
    a year ago

    Thanks Leo,in additional the setup has two static routes of on-premise IP blocks,BGP is not configured,Also seems like the two tunnel switch time to time and there's notification " This VPN connection is not using both tunnels. This mode of operation is not highly available and we strongly recommend you configure your second tunnel."

  • Leo K EXPERT
    a year ago

    Having two routes probably means that those two CIDRs are configured also in the "traffic selectors" that decide which traffic can go in an existing SA and which requires establishing a new SA. It may be called the "encryption domain" in the on-prem VPN configuration. Can you summarise the two on-prem CIDRs to one, larger one? Or remove one of CIDRs temporarily to test if that resolves the stability problem.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content