VPN tunnel is UP, but can't ping or telnet through the tunnel

Hi Yan,
Thanks for writing in.
From what I understand, the VPN is configured in correctly and the ASA is seeing egress traffic towards AWS? If that's the case, the recommended way to troubleshoot issues such as this is via the flow logs. Enabling flow logs for a VPC,subnet or specific ENI's will show what traffic ingresses/egresses the said ENI and prove if traffic has actually made it to AWS or not. If you're not across flow logs/how to setup flow logs, get started at [1]. The key thing to look for in your case is:

a) if traffic is seen in the flow logs from a given source IP (in the 192.168.100.0/24 range) and if the logs show "ACCEPT". If you see a "REJECT" for the said flow, it typically means there's a problem with the security group, routing table, Network access lists to name a few.
b) If you're able to see bi-directional traffic flows in the logs for a given source/destination. If you do not see any traffic from that source, it means that there's a problem with the VPN and traffic has not made it to AWS/This VPC as yet.

For end-to-end troubleshooting, you can also run packet captures on the EC2 instance, the source server/appliance and the ASA simultaneously so that you can trace your traffic all the way.

NOTE: Please refrain from divulging any personal information around your AWS resources including Resource IDs, Public IPs and Security group rules to name a few, since all posts are publicly available indefinitely. If you need pointed guidance, please reach out to us at AWS Support via the Support console.

[1] https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

Edited by: Vignesh-AWS on Nov 24, 2020 11:38 AM

Thanks Vignesh. The remote side fixed the issue by changing from BGP mode to static routing.

Setting up flow log as you suggested helps a lot for troubleshooting.

Yan