How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

Last updated: 2021-03-22

I'm using a policy-based virtual private network (VPN) to connect to my AWS VPN endpoint in Amazon Virtual Private Cloud (Amazon VPC). I'm experiencing problems, such as packet loss, intermittent or no connectivity, and general network instability. How do I troubleshoot these issues?

Short description

When you use a policy-based VPN connection to connect to an AWS VPN endpoint, AWS limits the number of security associations to a single pair. The single pair includes one inbound and one outbound security association.

Policy-based VPNs with more than one pair of security associations drop existing connections when new connections with different security associations initiate. This behavior indicates that a new VPN connection has interrupted an existing one.

Resolution

Limit the number of encryption domains (networks) with access to your VPC. If you have more than one encryption domain behind your VPN's customer gateway, configure them to use a single security association. To check if multiple security associations exist for your customer gateway, see the Troubleshooting your customer gateway device.

Configure your customer gateway to allow any network behind the customer gateway (0.0.0.0/0) with a destination of your VPC CIDR to pass through the VPN tunnel. This configuration uses a single security association, which improves tunnel stability. It also allows networks that aren't defined in the policy to access the VPC.

If possible, implement a traffic filter on your customer gateway to block unwanted traffic to your VPC. Configure security groups to specify what traffic can reach your instances. Also configure network access control lists (network ACLs) to block unwanted traffic to subnets.