Route table not routing to Site-to-Site VPN's Inside Ipv4 CIDR

0

I have a VPC with private subnet (NAT) that has a routing table wich redirects traffic of a given IP range(Data center) to a vgw(virtual private gateway), then I have this site-to-site vpn configured with this vgw and a customer gateway, on its static routes I also had the IP range for the Data center. But can't seem to get my ec2 running ubuntu to traceroute to the corresponding VPN's Inside Ipv4 CIDR when trying to reach Data center's range.

What could be wrong? VPN tunnels are up so even if I couldn't reach the Data Center, it should at least hop on the VPN IP address.

Thanks in advance for any ideas!

3 Answers
1

When working with static routed VPN there are few best practices you must keep in mind:

  • AWS only uses one tunnel inside a AWS VPN as active and the other tunnel is expected to be standby. This tunnel is chosen randomly.
  • Your customer gateway device must maintain symmetric traffic flow. If you do not have any monitoring mechanism to do so keep 1 tunnel shut and bring the other one up only when primary tunnel fails.
  • Use dynamic routed VPN, this will leverage BGP to insure you have symmetric path.

Please open a support case to investigate more. You can refer some documentation here:

profile pictureAWS
answered 2 years ago
0

This issue just started for us today with our Site-to-Site VPNs. We can still ping the outside IP addresses of the two tunnels. I went through every setting of our Firewall and the AMS VPC configurations to make sure nothing had changed. I suspect this will turn out to be an issue, which is more global in nature (at least for the AWS zone we are located in). I'm glad to see this post was first on the forum list when I came to check if others were experiencing this today.

answered 2 years ago
  • Well, we have several other vpns on this and two other regions working consistently (or they seem to, which is frightening :)), but just now we've realized we've been getting many of these "Your VPN Connection XXXXXXXXXXXX in the XXXXX Region had a momentary lapse of redundancy as one of two tunnel endpoints was replaced" so, who knows... For now we gave up on the vpn we were setting up. We´ll look at other options to encrypt the connection. Thanks!!

0

Well, we have several other vpns on this and two other regions working consistently (or they seem to, which is frightening :)), but just now we've realized we've been getting many of these "Your VPN Connection XXXXXXXXXXXX in the XXXXX Region had a momentary lapse of redundancy as one of two tunnel endpoints was replaced" so, who knows... For now we gave up on the vpn we were setting up. We´ll look at other options to encrypt the connection. Thanks!!

Matt
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions