How do I troubleshoot VPN tunnel connectivity to an Amazon VPC?

Last updated: 2022-09-22

I'm having trouble establishing and maintaining an AWS Site-to-Site VPN connection to my AWS infrastructure within an Amazon Virtual Private Cloud (Amazon VPC).

Short description

The Amazon VPC network model supports open standard, encrypted IPsec virtual private network (VPN) connections to AWS infrastructure. Establishing a VPN tunnel connection to an Amazon VPC includes:

  • VPN tunnel Internet Key Exchange (IKE) configuration
  • VPN tunnel Internet Protocol security (IPsec) configuration
  • Network access control list (NACL) configuration
  • Amazon VPC security group rules configuration
  • Amazon Elastic Compute Cloud (Amazon EC2) instance network routing table configuration
  • Amazon EC2 instance firewall configuration
  • VPN gateway configuration, including Virtual Private Gateway, or Transit Gateway

If you're experiencing issues establishing, or maintaining a Site-to-Site VPN connection from your Amazon VPC, try the following to resolve the problem.

Resolution

If a Site-to-Site VPN tunnel can't be established

To resolve a failure when establishing a Site-to-Site VPN tunnel, you must determine which phase the failure occurred:

If Site-to-Site VPN tunnels are established

If both VPN tunnels are established, follow these steps:

  1. Open the Amazon EC2 console, then view the network access control lists (NACLs) in your Amazon VPC. Custom NACLs might affect the ability of the attached VPN to establish network connectivity. For more information, see Work with network ACLs.
  2. Follow the steps at Update security group rules to activate inbound SSH, RDP, and ICMP access.
  3. Verify that the route tables specified in your Amazon EC2 instances are correct. For more information, see working with Route Tables.
  4. When using an Active/Active configuration where both tunnels are up: While using Active/Active, AWS automatically assigns one of the active tunnels as the preferred VPN tunnel for sending traffic from AWS to the on-premises network. With an Active/Active configuration, the customer gateway must have Asymmetric routing activated on the virtual tunnel interfaces. For more information, see How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?
  5. Verify that there are no firewalls blocking traffic to the Amazon EC2 instance inside of the VPC:
  • For an Amazon EC2 Windows instance: Open a command prompt, and then run the command, WF.msc.
  • For an Amazon EC2 Linux instance: Open terminal, then run the iptables command with appropriate arguments. For more information about the iptables command, run the man iptables command from the terminal.
  • If your customer gateway device implements a policy-based VPN: Note that AWS limits the number of security associations to a single pair. The single pair includes one inbound and one outbound security association. When using a policy-based VPN, it’s a best practice to set up the source address from your internal network as 0.0.0.0/0. Then, set the destination address as the VPC subnet (Example: 192.168.0.0/16). These settings direct the traffic to the VPC and traverse the VPN without creating additional security associations. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

If instance connectivity and VPC configurations are ruled out as possible root causes

Run the traceroute utility from a terminal session from Linux. Or, run the tracert utility from a command prompt from Windows. Both traceroute and tracert must be run from your internal network to an Amazon EC2 instance in the VPC that the VPN is connected to.

  • If traceroute output stops at an IP address associated with your internal network, verify that the routing path to the VPN edge device is correct.
  • If tracert output stops at an IP address associated with your internal network, verify that the routing path to the VPN edge device is correct.
  • If you verify that traffic from your internal network is reaching your customer gateway device but fails to reach the EC2 instance: Verify that the VPN configuration, policies, and NAT settings on your VPN customer gateway are correct. Next, verify that upstream devices, if any, are allowing traffic flow.

Troubleshooting issues with the Border Gateway Protocol (BGP)

If the Border Gateway Protocol (BGP) is down, make sure that you have defined the BGP Autonomous System Number (ASN). The ASN is the number that you used when you created the customer gateway. The ASN associated with your customer gateway is included with the downloadable VPN configuration properties. For more information, see Virtual private gateway.

You can use an existing ASN that's already assigned to your network. If an ASN isn't assigned, you can use a private ASN in the 64512–65534 range. The ASN configured must match the one that you provided when creating the VPN in AWS. Make sure that any local firewall configuration on the customer gateway allows BGP traffic to pass through to AWS. For more information about troubleshooting gateway connectivity, see the Troubleshooting your customer gateway device.