How do I troubleshoot VPN tunnel inactivity or instability on my customer gateway device?

Common reasons for VPN tunnel inactivity or instability on a customer gateway device include:

• Problems with Internet Protocol Security (IPsec) dead peer detection (DPD) monitoring
• Idle timeouts due to low traffic on a VPN tunnel or vendor-specific customer gateway device configuration issues
  

Check DPD settings

If a VPN peer doesn't respond to three successive DPDs, the peer is considered dead and the tunnel is closed.

If your customer gateway device has DPD enabled, be sure that:

• It's configured to receive and respond to DPD messages.
• It isn't too busy to respond to DPD messages from AWS peers.
• It isn't rate limiting DPD messages due to IPS features enabled in the firewall.

Troubleshoot idle timeouts

If you're experiencing idle timeouts due to low traffic on a VPN tunnel:

• Be sure that there's constant bidirectional traffic between your local network and your VPC. If necessary, create a host that sends ICMP requests to an instance in your VPC every 5 seconds.
• Review your VPN device's idle timeout settings using information from your device's vendor. When there's no traffic through a VPN tunnel for the duration of your vendor-specific VPN idle time, the IPsec session terminates. Be sure to follow vendor-specific configuration guidelines.