Challenges in Automatic switching for Site-to-Site VPN Tunnels : Investigating Issues Post AWS Maintenance

Question

I set up a site-to-site VPN connection between our on-premises network (PaloAlto) firewall and private sub in AWS. Initially, both tunnels were established, and the specified traffic flowed smoothly.

However, during routine maintenance by AWS, our VPN was temporarily affected. After the maintenance, although both tunnels showed as established and UP upon rechecking their status, the traffic did not balance between the tunnels.

I tested the option of manually forcing one tunnel to go down by adjusting the Dead Peer Detection (DPD) timeout parameter, which worked but is not the desired solution.

The automatic switch between the tunnels should occur, but it is not happening. What could be the cause of this issue?

Answer

Are you sing Static route based VPN or BGP? If you are using BGP then the failover/failback of the traffic between the Tunnels is handled by BGP, see below from the [documentation](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html)

> We recommend that you use BGP-capable devices, when available, because the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down. Devices that don't support BGP may also perform health checks to assist failover to the second tunnel when needed.

If you are already using BGP but the failover of the traffic isn't working then opening a support ticket with PA and AWS is the best course of action.

Challenges in Automatic switching for Site-to-Site VPN Tunnels : Investigating Issues Post AWS Maintenance

Relevant content