I am having continuous or intermittent packet loss and high latency issues on my VPN connection. What tests can I run to ensure the issue is not taking place inside my AWS VPC?

Before beginning performance tests, launch and configure your EC2 Linux instances:

  1. Follow the steps in Launch an Instance to launch Linux instances in at least two different Availability Zones under the same VPC from which you can run network performance testing.
  2. For the best possible network performance, ensure that the instances support enhanced networking for Linux, launch the instances in the same VPC, and follow the steps in Enabling Enhanced Networking on Linux Instances in a VPC.
  3. If you are performing network testing between instances that are not co-located in the same placement group or do not support jumbo frames, follow the steps in Network Maximum Transmission Unit (MTU) for Your EC2 Instance to check and set the MTU on your Amazon EC2 Instance.
  4. Complete the steps in Connect to Your Linux Instance to verify that you can access the instances.

Install the MTR network tool on both instances to check for any ICMP or TCP packet loss and latency

The Linux MTR command provides continually updated output that allows you to analyze network performance over time. It combines the functionality of the "traceroute" and "ping" programs in a single network diagnostic tool.

To install MTR on Linux:

Amazon Linux

sudo yum install mtr

Ubuntu

sudo apt-get install mtr

Run the following commands:

Note: You should run the test between the private and public IP address of your EC2 instances and your on-premises host bidirectionally. The path between nodes on a TCP/IP network can change when the direction is reversed, and it is important to obtain mtr results in both directions.

mtr -n -c 200 <Private IP EC2 instance/on-premises host> --report
mtr -n -T -c 200 <Private IP EC2 instance/on-premises host> --report

mtr -n -c 200 <Public IP EC2 instance/on-premises host> --report
mtr -n -T -c 200 <Public IP EC2 instance/on-premises host> --report

Use the Linux traceroute utility to determine latency or routing problems

The Linux traceroute utility identifies the path that is taken from a client node to a specified destination node and the time in milliseconds for each router identified in the path to respond to a request. It also calculates and displays the amount of time each hop takes before reaching its destination.

If traceroute is not already installed, run the following command, depending on your OS version:

Amazon Linux

sudo traceroute <private IP of EC2 instance/on-premises host>
sudo traceroute -T -p 80 <private IP of EC2 instance/on-premises host>

sudo traceroute <public IP of EC2 instance/on-premises host>
sudo traceroute -T -p 80 <public IP of EC2 instance/on-premises host>

The arguments -T -p 80 -n perform a TCP-based trace on port 80.

Note: Ensure that you have port 80 or the port that you are testing with open on both directions.

The Linux traceroute option to specify a TCP-based trace instead of ICMP is useful because most Internet devices deprioritize ICMP-based trace requests. A few timed-out requests are common, so watch for packet loss to the destination or in the last hop of the route. Packet loss that accumulates over several hops can also indicate a problem.

Note: When troubleshooting network connectivity using the traceroute utility, it is beneficial to run the command in both directions, from the client to the server and then from the server back to the client. For more information on traceroute diagnostics, see Traceroute.

Use the hping3 utility to determine latency or TCP packet loss problems

hping is a command-line oriented TCP/IP packet assembler/analyzer. In addition to ICMP echo requests, it supports TCP, UDP, and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

If hping is not already installed, run the following command on Amazon Linux:

sudo yum --enablerepo=epel install hping3

Run the following commands:

hping3 -S -c 50 -V <Public IP of EC2 instance or on-premises host>
hping3 -S -c 50 -V <Private IP of EC2 instance or on-premises host>

Note: hping3 by default sends TCP headers to the target host's port 0 with a winsize of 64 without any tcp flag on.

Packet capture samples using tcpdump

Performing packet captures on your EC2 instances (present in multiple Availability Zones) and your on-premises host when duplicating the issue helps to determine if there are any application or network layer issues on the VPN connection.

To install tcpdump on the Linux instances, run the following command, depending on your OS version:

Amazon Linux

sudo apt-get install tcpdump

Ubuntu

sudo yum install tcpdump

For more information about using tcpdump, see A tcpdump Tutorial and Primer with Examples.

Note: Check with your specific vendor documentation for instructions on how to check network devices for analysis and troubleshooting.

VPN, VPC, EC2, Linux, enhanced networking


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-02-23