By using AWS re:Post, you agree to the Terms of Use
/Site to Site VPN Issue/

Site to Site VPN Issue

0

I have configure VPN on-prem firewall to AWS site to site so my on-prem firewall showing both tunnel up but in My AWS showing status is down and IPSEC is up, please advise, we have poc. your prompt support will be highly appreciated

  • A bit more details on the error would be helpful.

1 Answers
0

Hello, I see you are having issues with your Site-to-Site VPN connection.

With AWS site to site VPN, when the status on your AWS console shows IPSEC up and Tunnel Down, this is an indication that IPSEC has been successfully established between the two peers. However, since this is a dynamic (BGP) VPN, the tunnel will come up only if BGP session is established.

There are a number of issues that can affect BGP session establishment which include but not limited to the following: IKE security associations and the BGP peer IPs to mention some.

To try resolve the issue, verify the BGP[1] configurations such as peer IP, ASN are correct or not. I have referenced documentation to help troubleshoot [2] [3][4] your issue since you have not mentioned a specific one . Be sure to check the Traffic Selectors encryption domain and confirm that is grants the BGP per IPs. Verify that your device has rules allowing BGP traffic, TCP on port 179 inbound and outbound to the AWS tunnel inside IPs. Also have a look at the status of the BGP and logs from your device, which helps analyse any errors on BGP. You can monitor your VPN connection using CloudWatch which will help monitor the state of your tunnel[5]. You may also monitor the connections of your tunnel using AWS Health events, which you can configure to monitor what happens when you try to connect Site-to-Site[6].

References:

[1] https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-dynamic-routing-examples.html

[2] https://aws.amazon.com/premiumsupport/knowledge-center/vpn-cgw-vpg-traffic/

[3] https://aws.amazon.com/premiumsupport/knowledge-center/vpn-tunnel-instability-inactivity/

[4] https://docs.aws.amazon.com/vpn/latest/s2svpn/Troubleshooting.html

[5] https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch-vpn.html

[6] https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-vpn-health-events.html

answered 19 days ago
  • Dear Support, Thanks for your reply, i am think to change Dynamic to Static routing, will it help me, also when i am trying to change the dynamic to static route its not showing me the option so could you please advise me how and from where i can change the DYnamic to Static route. Thanks

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions