How do I check the current status of my VPN tunnel?

Last updated: 2022-06-17

I don’t see network traffic flowing on the AWS side of my Amazon Virtual Private Cloud (Amazon VPC) connection. How do I check the AWS VPN tunnel status?

Resolution

Verify whether you are using static or dynamic Site-to-Site VPN routing. VPN devices that don’t support Border Gateway Protocol (BGP) must use static routing. VPN devices that support BGP can use dynamic routing.

Check the current status using the Amazon VPC console

If you use a static VPN, then follow these steps:

  1. Sign in to the Amazon VPC console.
  2. In the navigation pane, under Site-to-Site VPN Connections, choose Site-to-Site VPN Connections.
  3. Select your VPN connection.
  4. Choose the Tunnel Details view.
  5. Review the Status of your VPN tunnel.
  6. If the tunnel status is UP, then choose the Static Routes view. Be sure to specify any private networks behind your on-premises firewall.
  7. If the tunnel status is DOWN, then verify that your on-premises firewall is properly configured.
  8. Be sure to turn on route propagation in your VPC route table.

If you use a dynamic VPN with BGP, then follow these steps:

  1. Sign in to the Amazon VPC console.
  2. In the navigation pane, under Site-to-Site VPN Connections, choose Site-to-Site VPN Connections.
  3. Select your VPN connection.
  4. Choose the Tunnel Details view.
  5. Review the Status of your VPN tunnel.
  6. If the tunnel status is UP, then verify that the Details column has one or more BGP routes listed.
  7. If the tunnel status is DOWN but the Details column is IPSEC IS UP, then be sure to configure BGP properly on your firewall. Phase 2 of Internet Protocol Security (IPSec) is established, but BGP isn’t established.
  8. Be sure to turn on route propagation in your VPC route table.

If you continue to experience issues, then follow these steps:

  • Verify that the security groups of Amazon Elastic Compute Cloud (Amazon EC2) instances in your VPC allow appropriate access. For more information, see Security groups for your VPC.
  • Verify that your local firewall allows the same service in its access control lists (ACLs) and firewall policies.

For more information, see Troubleshooting your customer gateway device.

Monitor your VPN tunnel using Amazon CloudWatch

You can also use CloudWatch to check the status of a VPN tunnel and be notified when the status of the tunnel changes. CloudWatch can be used to access metric data over time to help evaluate the tunnel's stability. For more information, see Monitoring VPN tunnels using Amazon CloudWatch.


Did this article help?


Do you need billing or technical support?