By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

VPN Tunnel Established but cant ping to client gateway ip

0

I have created 1 VPC in the Amazon. I have established 1 tunnel from my local network to client gateway.
The tunnel 1 status is UP.
I have allowed all the range ip for client and also they configured whit EC2 private IP
Still i am neither able to ping from Amazon EC2 to client IP

What might be issue?

VPC ID: vpc-00f52dc82dd34bb8c
VPN ID: vpn-086ca90af4b768c94
VPG ID: vgw-0d740b67185fc32d0
Customer Gateway Id: cgw-07416d45422d95b5a

Edited by: leadgenios on Jun 4, 2021 5:21 PM

Edited by: leadgenios on Jun 4, 2021 5:22 PM

Topics
Networking & Content Delivery
Tags
Amazon VPC
Language
English
leadgenios
asked 3 years ago4767 views
3 Answers
0

Hi leadgenios

Thanks for reaching out :)

You could be having this issue because of wrong configuration in a security group or network ACL in your VPC that filters traffic to the instance to allow inbound and outbound ICMP traffic. This enables the instance to receive ping requests.

  1. Check for network ACLs in your VPC that prevent your VPN from establishing a connection:
    https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-tasks

  2. Verify that the security group rules assigned to the EC2 instances in your VPC allow appropriate access. Be sure to allow inbound SSH if you are using a Linux instance, and RDP if you are using a windows instance. Also be sure to allow ICMP access.
    See Amazon EC2 Security Groups for Linux Instances:
    https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
    or Amazon EC2 Security Groups for Windows Instances:
    https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html

  3. Additionally, verify that the route tables attached to your VPC are properly configured, for example make sure that your internet gateway has been added to your route table. See below link:
    https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html

I hope this helps!

Edited by: naz97 on Jun 7, 2021 7:11 AM

naz97
answered 3 years ago
0

Hi, thanks for the reply
Unfortunate i'm still unable to make ping to client's ip.

The security group (sg-0eacf2f11b7a4bc1f) attached to VPC had HTTP, HTPPS, SSH, All ICMP (IPv4 and IPv6) rules with a 0.0.0.0/0 source; for inbound and outbound rules.
The internet gateway (igw-08a7d9b4750466e98) is attached to VPC.
The route table (rtb-0df2575f528d0508a) had the next routes:

  • 128.9.0.0/16: client IP CIDR, target: (igw-08a7d9b4750466e98), propagated: no
  • 10.0.0.0/16: VPC IPv4 CIDR, target: local, propagated: no
  • 0.0.0.0/0, target: (igw-08a7d9b4750466e98), propagated: no
  • 128.9.0.0/16: client IP CIDR, target: (vgw-0d740b67185fc32d0), propagated: yes
    Default ACL is associated with VPC subnet; indbound and outbound rules allow All ICMP (IPv4, IPv6) rules with 0.0.0.0/0 source.

If I do a traceroute to client's IP, i get a trace response but can't reach to client's IP
Doing ping i don't get response.

What i'm missing?

leadgenios
answered 3 years ago
0

Hi leadgenios

Thanks for your response :)

AWS VPC with a site to site VPN has a recommended block by default which blocks all traffic that isn't defined as allowed. ICMP requests like ping are not allowed over the VPC/VPN due to this. Try using network tools that will set a connection over an allowed port. If something else is not configured correctly for the VPC/VPN please reach out to AWS support for more help. Ping commands can also be blocked by a firewall or time out due to network latency or hardware issues.

To display ICMP information, use command:
netstat -ps ICMP
A variety of ICMP message types are displayed along with how many of each type of message were received and sent. Most, if not all, will be Echo and Echo Reply messages.

The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without the need for a working network connection. You can access the serial console using the Amazon EC2 console or the AWS Command Line Interface (AWS CLI):
https://aws.amazon.com/about-aws/whats-new/2021/03/introducing-ec2-serial-console/
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-serial-console.html

Additionally, you can have a look at the below user guide on troubleshooting packet loss on the VPN connection:
https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-vpn-packet-loss/

To contact AWS Support, do the following:

  1. Sign in to your AWS account.
  2. Open the AWS Support console, and then choose Create case.
  3. Select your option for Create case, and then enter the required information in the Case details section.
  4. Select your preference for Contact options.
    If you select Web, you can read and respond to the case in Support Center.
    If you select Chat, you can chat online with a representative from AWS Support.
    If you select Phone, you're prompted for a callback number. You receive a call from AWS Support as soon as you create the case.
    Important: The options for contact vary based on the type of case and your Support plan.
  5. Choose Submit.

I hope this helps!

naz97
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content