How do I troubleshoot VPN tunnel inactivity or instability or tunnel down on my customer gateway device?
Last updated: 2021-05-05
I'm having inactivity or instability issues with virtual private network (VPN) tunnels on my network device. How do I troubleshoot this in Amazon Virtual Private Cloud (Amazon VPC)?
Common reasons for VPN tunnel inactivity or instability on a customer gateway device include:
- Problems with Internet Protocol Security (IPsec) dead peer detection (DPD) monitoring
- Idle timeouts due to low traffic on a VPN tunnel or vendor-specific customer gateway device configuration issues
- Rekey issues for phase 1 or phase 2
Check DPD settings
If a VPN peer doesn't respond to three successive DPDs, then the peer is considered dead and the tunnel is closed.
If your customer gateway device has DPD enabled, be sure that:
- It's configured to receive and respond to DPD messages.
- It isn't too busy to respond to DPD messages from AWS peers.
- It isn't rate limiting DPD messages due to IPS features enabled in the firewall.
Troubleshoot idle timeouts
If you're experiencing idle timeouts due to low traffic on a VPN tunnel:
- Be sure that there's constant bidirectional traffic between your local network and your VPC. If necessary, create a host that sends ICMP requests to an instance in your VPC every 5 seconds.
- Review your VPN device's idle timeout settings using information from your device's vendor. When there's no traffic through a VPN tunnel for the duration of your vendor-specific VPN idle time, the IPsec session terminates. Be sure to check your vendor documentation for your specific device.
Rekey issues for phase 1 or phase 2
If you're experiencing rekey issues due to phase 1 or phase 2 mismatch on a VPN tunnel:
- Review the phase 1 or phase 2 lifetime fields on the customer gateway. Make sure that it matches the AWS parameters. It's a best practice to uncheck parameters in the VPN tunnel options that aren't needed with the customer gateway for the VPN connection.
- Make sure that inbound traffic to UDP ports 500 [IKE], 4500 [NAT-T], and IP 50 [ESP] on the customer gateway allow rekeys for the AWS endpoint.
For more information, see Tunnel options for your Site-to-Site VPN connection and Your customer gateway device.