One of the subnets in CIDR cant connect to site-to-site VPN

0

We have a Site-to-Site VPN connection to a datacenter via Virtual Private Gateway, attached to a private VPC with three private subnets(10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24), which use the same route table.
VPN connection has static routes set up and propagation is enabled, so all three subnets have them propagated and are exactly the same in terms of configuration,except for CIDR.
When trying to connect from instances in 10.0.0.0/24 and 10.0.2.0/24 CIDR the connection works with no issues, however, 10.0.1.0/24 fails to connect. Traceroutes from working subnets work, but the faulty one returns only asterisks.
Security groups and NACL DO allow all the needed access and are the same for all instances in mentioned subnets.
The datacenter side has CIDRs allowed and Remote IPv4 network CIDR is set to 0.0.0.0/0, which should allow all subnets to work with VPN. Datacenter side can ping 10.0.0.0/24 and 10.0.2.0/24 but gets timed out for 10.0.1.0/24

Raman
asked 12 days ago47 views
1 Answer
1

You can use the VPC Reachability Analyzer to test the path between your subnets. This will help identify the problem.

How Reachability Analyzer works

Reachability Analyzer analyzes the path between a source and destination by building a model of the network configuration, and then checking for reachability based on the configuration. It does not send packets or analyze the data plane.

To use Reachability Analyzer, you specify the path for the traffic from a source to a destination. For example, you could specify an internet gateway as the source, an EC2 instance as the destination, 22 as the destination port, and TCP as the protocol. This would allow you to verify that you can connect to the EC2 instance through the internet gateway using SSH.

If there are multiple reachable paths between a source and a destination, Reachability Analyzer identifies and displays the shortest path. You can analyze the path again, specifying an intermediate component, to find an alternative reachable path that traverses the intermediate component.

If the path is not reachable, Reachability Analyzer displays information about the component or combination of components that is blocking the path. There might be additional components blocking the path.

profile pictureAWS
Tracy H
answered 12 days ago
profile picture
EXPERT
reviewed 11 days ago
profile picture
EXPERT
reviewed 12 days ago
  • Should i run it from the instance in the problematic subnet and specify one of the IPs in the datacenter as a destination?

  • For Path Source you should select an EC2 instance in the subnet that cannot reach your data center.

    For Path destination select IP Address and Enter IP address use an IP address within your data center.

  • Reachability Analyzer shows it as reachable, however there is no connection. Both ICMP and HTTP on port 80 cant connect.

  • This would lead me to believe the problem is on the datacenter side of the connection. Try troubleshooting from the CPE across the s2s VPN connection.

  • So by using the Reachability analyzer, we basically confirmed that the instance does go through the correct route and passes throught the correct gateway?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions