How do I troubleshoot VPN tunnel inactivity or instability or tunnel down on my customer gateway device?

Last updated: 2021-05-05

Common reasons for VPN tunnel inactivity or instability on a customer gateway device include:

• Problems with Internet Protocol Security (IPsec) dead peer detection (DPD) monitoring
• Idle timeouts due to low traffic on a VPN tunnel or vendor-specific customer gateway device configuration issues
• Rekey issues for phase 1 or phase 2

If a VPN peer doesn't respond to three successive DPDs, then the peer is considered dead and the tunnel is closed.

If your customer gateway device has DPD enabled, be sure that:

• It's configured to receive and respond to DPD messages.
• It isn't too busy to respond to DPD messages from AWS peers.
• It isn't rate limiting DPD messages due to IPS features enabled in the firewall.

If you're experiencing idle timeouts due to low traffic on a VPN tunnel:

• Be sure that there's constant bidirectional traffic between your local network and your VPC. If necessary, create a host that sends ICMP requests to an instance in your VPC every 5 seconds.
• Review your VPN device's idle timeout settings using information from your device's vendor. When there's no traffic through a VPN tunnel for the duration of your vendor-specific VPN idle time, the IPsec session terminates. Be sure to check your vendor documentation for your specific device.

If you're experiencing rekey issues due to phase 1 or phase 2 mismatch on a VPN tunnel:

• Review the phase 1 or phase 2 lifetime fields on the customer gateway. Make sure that it matches the AWS parameters. It's a best practice to uncheck parameters in the VPN tunnel options that aren't needed with the customer gateway for the VPN connection.
• Make sure that inbound traffic to UDP ports 500 [IKE], 4500 [NAT-T], and IP 50 [ESP] on the customer gateway allow rekeys for the AWS endpoint.

For more information, see Tunnel options for your Site-to-Site VPN connection and Your customer gateway device.