The VPN tunnel between my customer gateway and my virtual private gateway is Up, but I am unable to pass traffic through it. What can I do?
Last updated: 2021-04-29
I established a VPN connection between my customer gateway and a virtual private gateway, but traffic isn't passing through it. How do I troubleshoot this issue?
To troubleshoot this issue, confirm that your Amazon VPC, virtual private gateway, and customer gateway are configured correctly.
Review the configuration of your Amazon VPC and virtual private gateway
- Verify that the virtual private gateway associated with the VPN connection is attached to your Amazon VPC.
- Confirm that the on-premises and VPC private networks are not overlapping because overlapping subnets can cause routing issues over the VPN tunnel.
- For static route-based VPN connections, verify that you have configured routes for your on-premises private networks by checking the Static Routes tab of your VPN Connection.
- For BGP-based VPN connections, verify that the BGP session is established. Also verify that the virtual private gateway is receiving BGP routes from your customer gateway by checking the Tunnel Details tab of your VPN Connection.
- Configure your VPC route table to include the routes to your on-premises private networks. Direct them to your virtual private gateway so that instances in your Amazon VPC can reach your on-premises networks. You can manually add these routes to the VPC route table, or you can use route propagation to automatically propagate these routes.
- Confirm that the VPC security groups and access control lists (ACLs) are configured to allow necessary traffic (ICMP, RDP, SSH, etc.) to and from your on-premises subnets for both inbound and outbound traffic.
- Perform packet captures on multiple Amazon Elastic Compute Cloud (Amazon EC2) instances in different Availability Zones to confirm that traffic from the on-premises host is reaching your Amazon VPC.
Review your customer gateway
- Confirm that the IPsec configuration on your VPN device satisfies the requirements for your customer gateway.
- Verify that the packets from your customer gateway are being encrypted and sent over the VPN tunnel.
- For policy-based configurations, check the Details of your VPN connection to verify that the traffic selectors are configured correctly. (Local IPv4 Network Cidr = Customer Gateway CIDR range and Remote IPv4 Network Cidr = AWS side CIDR range)
- For policy-based configurations, be sure that you limit the number of encryption policies to a single policy.
Note: AWS supports only one pair of Phase 2 Security Associations (SAs) per VPN tunnel.
- If your VPN tunnels are route-based, confirm that you have correctly configured routes to your VPC CIDR.
- Confirm that the traffic sent across the tunnel isn't translated to the customer gateway IP address of the VPN connection. If you have a specific requirement to NAT your VPN traffic, configure it using a different IP address than the customer gateway IP address.
- If your customer gateway isn't behind a NAT device, it's a best practice to disable NAT-Traversal.
- Confirm that there are no firewall policies or ACLs interfering with inbound or outbound IPsec traffic.
- Perform a packet capture for ESP traffic on the WAN interface of your customer gateway device to confirm it is sending and receiving encrypted packets.