How do I troubleshoot packet loss, latency, or intermittent connectivity issues with my Client VPN connection?

Last updated: 2021-01-22

How do I troubleshoot packet loss, latency, or intermittent connectivity issues with my AWS Client VPN connection?

Short description

To diagnose network issues such as packet loss, latency, or intermittent connectivity in your Client VPN connection, first test the network to isolate the source of the issue. To isolate the source of the issue, consider:

  • Is this issue affecting all users, or only users on a specific internet service provider (ISP) or at a specific remote location?
  • What connectivity medium are the affected users using to connect to Client VPN? For example, possibly a fixed internet connection, a local WiFi hotspot, or a mobile network.
  • From what device are the affected users connecting? For example, possibly a Windows machine or a mobile device.
  • Where are the affected users located in relation to the Client VPN endpoint?
  • What are users accessing when they experience packet loss, latency, or intermittent connectivity issues?
  • Does the client still experience packet loss, latency, or intermittent connectivity issues to external resources when not connected to Client VPN?
  • Is split-tunnel enabled on the endpoint?

Resolution

Review how users connect to the Client VPN endpoint

There are several factors involved in troubleshooting performance and connectivity issues with a Client VPN connection. Before progressing to more complicated troubleshooting methods used by network administrators to test connectivity, review the following considerations.

For users on a mobile network or WiFi hotspot

Users might have a poor connection with low signal or connectivity issues. Specifically with hotspots accessed in a shared location, there might be bandwidth restrictions. For these types of connections:

Test connection speeds using a performance testing tool, such as the Speedtest website. It's a best practice to test from the same Region as the Client VPN endpoint.

-or-

On Windows, macOS, or Linux-based systems, use ICMP to test connectivity to the default gateway. To check the stability of a WiFi hotspot connection:

Ping <Default Gateway IP>

Note: Be sure to replace "Default Gateway IP" with the IP address of the default gateway.

If there's a poor connection or bandwidth constraints, it's a best practice to connect using a faster or more stable connection and then note any performance improvements.

For users in different geographic locations

Review where users are located in relation to the Client VPN endpoint.

For example, consider a scenario where split-tunnel isn't enabled and all user traffic is forced over the Client VPN tunnel. A user that's geographically separated from the endpoint might experience elevated latency, packet loss, or intermittent connectivity to resources in the VPC or over the internet. In this case, you can resolve the issues by configuring the VPC to allow this traffic if the intermediate ISPs have issues.

If it's not a requirement that traffic from internet resources is forwarded over the VPC, it's a best practice to enable split-tunnel. When you enable split-tunnel on the Client VPN endpoint, the routes in the endpoint route table are pushed to the device that's connected to the Client VPN. Then, only traffic with a destination to the network matching a route from the endpoint route table is routed through the Client VPN tunnel.

If necessary, use advanced troubleshooting techniques

If the previously described methods don't resolve your issues, use the following advanced techniques. These methods can help remote users troubleshoot network connectivity issues between their local device and the Client VPN endpoints.

For Windows users

Find the Client VPN endpoint node IP addresses:

1.    Open Command Prompt (cmd).

2.    Perform nslookup on your endpoint DNS URL:

nslookup cvpn-endpoint-0102bc4c2eEXAMPLE.clientvpn.us-west-2.amazonaws.com

If you have trouble resolving the previous command, append a subdomain:

nslookup test.cvpn-endpoint-0102bc4c2eEXAMPLE.clientvpn.us-west-2.amazonaws.com

Use the MTR method:

1.    Download and install WinMTR from the SourceForge website.

2.    For Host, enter the destination IP address, and then choose Start.

3.    Run the test for approximately one minute, and then choose Stop.

4.    Choose Copy text to clipboard, and then paste the output in a text file.

5.    Search output in the text file for any losses in the % column that are propagated to the destination.

6.    Review hops on the MTR reports using a bottom-up approach. For example, check for loss on the last hop or destination, and then review the preceding hops.

Notes:

  • Client VPN doesn't respond to ICMP. However, MTR is still a viable test to confirm that there's no packet loss on the intermediate ISP links.
  • Ignore any hops with the "No response from host" message. This message indicates that those particular hops aren't responding to the ICMP probes.

Use the tracert method:

If you don't want to install MTR, or need to perform further testing, you can use the tracert command utility tool. Perform a tracert to the destination URL or IP address. Then, look for any hop that shows an abrupt spike in round-trip time (RTT). An abrupt spike in RTT might indicate that there's a node under high load. A node under high load induces latency or packet drops in your traffic.

For macOS and Amazon Linux users

Find your Client VPN endpoint node IP addresses:

1.    Open Terminal.

2.    Perform dig on your endpoint DNS URL:

dig cvpn-endpoint-0102bc4c2eEXAMPLE.clientvpn.us-west-2.amazonaws.com

If you have trouble resolving the previous command, append a subdomain:

dig test.cvpn-endpoint-0102bc4c2eEXAMPLE.clientvpn.us-west-2.amazonaws.com

Use the MTR method:

1.    Install MTR.    
On macOS, use macOS with Homebrew.
On Amazon Linux, use "sudo yum install mtr".
On Ubuntu Linux, use "sudo apt-get mtr".

2.    Run a TCP-based MTR:

mtr -n -T -P 443 -c 200 <Client VPN endpoint IP> --report
mtr -n -T -P 1194 -c 200 <Client VPN endpoint IP> --report

-or-

Run a UDP-based MTR:

mtr -n -u -P 443 -c 200 <Client VPN endpoint IP> --report
mtr -n -u -P 1194 -c 200 <Client VPN endpoint IP> --report

Note: Be sure to test based on the port configured on your Client VPN endpoint. If you find packet loss in your network, refer to your vendor documentation for instructions on how to check network devices for analysis and troubleshooting. Or, reach out to your internet service provider.


Did this article help?


Do you need billing or technical support?