- Newest
- Most votes
- Most comments
Hi GregL,
Thanks for your question.
Let me start with some information regarding AWS S2S VPN - AWS VPN is Route-Based solution [1] and it supports single IPSec Security Associations(SA) for Policy-based implementation. So if you are implementing policy-based VPN on your Customer Gateway(CGW) configuration you will need to limit the SA to be single SA, otherwise there will be connectivity issues. You can also find the related information from AWS VPN FAQs page here [2].
Your explanation of the current behaviour is highly likely to be related to multiple SAs for policy-based VPN implementation on your CGW device(Cisco ASA). The policy-based configuration is most likely to be multi-entry extended ACLs for example like below:
- Allow ip
on-prem-subnet-1
VPC-CIDR
- Allow ip
on-prem-subnet-2
VPC-CIDR
and etc
In the above configuration each line from the extended ACL generates separate IPSec SA for communication over the Tunnels, hence to avoid this multiple SA scenario try to summarize the on-prem subnets into single or use 0.0.0.0/0 for on-prem network and control the traffic with routing. This way you can ensure to create single IPSec SA and to avoid intermittent connectivity issues from your on-prem subnets.
Hope this helps and looking forward to your feedback!
Thanks
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago