Ben helps you troubleshoot issues with VPN tunnels

check-vpn-tunnel-status-ben

I don’t see network traffic flowing on the AWS side of my Amazon Virtual Private Cloud (Amazon VPC) connection. How do I check the AWS VPN tunnel status?

Verify whether you are using static or dynamic VPN routing. VPN devices that don’t support Border Gateway Protocol (BGP) must use static routing. VPN devices that support BGP can use dynamic routing.

Check the current status using the Amazon VPC console

If you use a static VPN:

  1. Sign in to the Amazon VPC console.
  2. In the navigation pane, under VPN Connections, choose VPN Connections.
  3. Select your VPN connection.
  4. Choose the Tunnel Details view.
  5. Review the Status of your VPN tunnel.
  6. If the tunnel status is UP, choose the Static Routes view. Be sure to specify any private networks behind your on-premises firewall.
  7. If the tunnel status is DOWN, verify that your on-premises firewall is properly configured.
  8. Be sure to enable route propagation in your VPC route table.

If you use a dynamic VPN with BGP:

  1. Sign in to the Amazon VPC console.
  2. In the navigation pane, under VPN Connections, choose VPN Connections.
  3. Select your VPN connection.
  4. Choose the Tunnel Details view.
  5. Review the Status of your VPN tunnel.
  6. If the tunnel status is UP, verify that the Details column has one or more BGP routes listed.
  7. If the tunnel status is DOWN but the Details column is IPSEC IS UP, be sure to configure BGP properly on your firewall. Phase 2 of Internet Protocol Security (IPSec) is established, but BGP isn’t established.
  8. Be sure to enable route propagation in your VPC route table.

If you continue to experience issues:

  • Verify that the security groups of Amazon Elastic Compute Cloud (Amazon EC2) instances in your VPC allow appropriate access. For more information, see Security Groups for Your VPC.
  • Verify that your local firewall allows the same service in its access control lists (ACLs) and firewall policies.

For more information, see Troubleshooting in the Amazon VPC Network Administrator Guide.

Monitor your VPN tunnel using CloudWatch

You can also use Amazon CloudWatch to check the status of a VPN tunnel, be notified when the status of the tunnel changes, and access metric data over time to help evaluate the tunnel's stability. For more information, see Monitoring VPN Tunnels Using Amazon CloudWatch.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-05-24

Updated: 2019-01-15