- Newest
- Most votes
- Most comments
Q) I have a Site to Site VPN tunnel configured and passing traffic but intermittently in CloudWatch I see blips like its flapping in the graph.
A) Believe you are referring to the TunnelState Metrics on CloudWatch ( https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch-vpn.html#metrics-dimensions-vpn ) , which is exactly what you should be looking at if you are worried about tunnel going down.
TunnelState: The state of the tunnels. For static VPNs, 0 indicates DOWN and 1 indicates UP. For BGP VPNs, 1 indicates ESTABLISHED and 0 is used for all other states. For both types of VPNs, values between 0 and 1 indicate at least one tunnel is not UP.
Q) I enabled logging and receive the "AWS is sending DPD Requests" over and over again but I believe that's normal.
Enabling logging is great. Please check the logs for the exact timeframe you see the "TunnelState" going down/flapping. You can co-relate them with the Contents of Site-to-Site VPN logs: https://docs.aws.amazon.com/vpn/latest/s2svpn/log-contents.html and see the type of ERROR message being displayed. These error messages show issues with Phase 1 and Phase 2.
"AWS is sending DPD Requests" is common as it is a keep-alive mechanism for VPN. However, if you see an ERROR message: Peer is not responsive - Declaring peer dead , then that is a likely cause. Again, check the logs for any Error messages being displayed.
I would also recommend going through the following article for some well-know reasons for tunnel going down.
How do I troubleshoot AWS VPN tunnel inactivity or tunnel down on my customer gateway device? https://repost.aws/knowledge-center/vpn-tunnel-instability-inactivity
Feel free to ask any follow up questions and we are happy to help.
Yes, seeing this. Looks like the Customer Gateway is requesting the Delete
{ "event_timestamp": 1696421154, "details": "AWS tunnel received DELETE for IKE_SA from CGW", "dpd_enabled": true, "nat_t_detected": false, "ike_phase1_state": "down", "ike_phase2_state": "down" } { "event_timestamp": 1696421154, "details": "AWS tunnel is deleting IKE_SA between 52.x.x.x and cgw-0f875", "dpd_enabled": true, "nat_t_detected": false, "ike_phase1_state": "down", "ike_phase2_state": "down" } { "event_timestamp": 1696421154, "details": "AWS tunnel Phase 1 IKE_SA is deleted", "dpd_enabled": true, "nat_t_detected": false, "ike_phase1_state": "down", "ike_phase2_state": "down" } { "event_timestamp": 1696421154, "details": "received packet: from cgw-0f875 [UDP 4500] to 52.x.x.x[UDP 4500] (96 bytes)", "dpd_enabled": true, "nat_t_detected": true, "ike_phase1_state": "established", "ike_phase2_state": "established" }
Relevant content
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
"AWS tunnel received DELETE for IKE_SA from CGW" -- meaning Customer Gateway (Cisco device) has taken down the tunnel from its end and asking AWS to do the same. Would be good to check the vpn logs on Customer Gateway to find out the exact reason why. Idle timeout is one possible reason , caused by low traffic on a VPN tunnel , which is quite normal. If it is indeed that, you can create a host that sends ICMP requests to an instance in your virtual private cloud (VPC) every 5 seconds, or Cisco devices usually have IP SLA Monitor that can be configured. Suggestion would be to check your vendor documentation for your specific device.