Site-to-Site VPN connection - high latency

Question

Hi all,
we have a Site-to-Site VPN configured between out VPC on AWS (the private subnet in the VPC hosts a RDS instance) and our on premise application servers.
The VPN is policy-based and for the moment only one tunnel works.
The problem is that we have a big latency problem when the traffic leave the last on premise network segment and go to the VPN (sometimes it happens that through the VPN the VPC is not reachable even if the tunnel is active). 
We are talking about 1250 ms latency.
Does anyone have any suggestions on what can be checked and/or modified?
Thanks.

bodep · Answer

You might found this knowledge center article usefull: https://repost.aws/knowledge-center/vpn-packet-loss
You can also take pcap on source and destination and review,

Muhammad M · Answer

What is Bandwidth Bytes per second and PPS at the time of the issue?
You can check Cloudwatch metrics for VPN tunnel and verify if you are not exceeding limit of VPN service on AWS side?

Maximum bandwidth per VPN tunnel	Up to 1.25 Gbps	No
Maximum packets per second (PPS) per VPN tunnel	Up to 140,000	No
https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-limits.html

https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch-vpn.html

Its also possible that a lot of packet fragmentation is happening that is causing CPU issues on either AWS VPN device or your device. So try to use TCP MSS Clamping to avoid fragmentation.

See section Best practices for your customer gateway device

https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cgw.html

rePost-User-7809399 · Answer

As DataIn we have some 13,3 MB peaks (once a day), so I think we are ok on this side (the tunnel state is always 1, so available).
Anyway we are talking about a very small amount of data.
Regarding  TCP MSS Clamping it has to be checked on cgw side right? Thanks.

Site-to-Site VPN connection - high latency

Relevant content