


 Short description
------------------



When you use a policy-based VPN connection to connect to an AWS VPN endpoint, AWS limits the number of security associations to a single pair. The single pair includes one inbound and one outbound security association.


Policy-based VPNs with more than one pair of security associations will drop existing connections when new connections with different security associations initiate. This behavior indicates that a new VPN connection has interrupted an existing one.



 Resolution
-----------



Limit the number of encryption domains (networks) with access to your VPC. If you have more than one encryption domain behind your VPN's [customer gateway](https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html), then configure them to use a single security association. To check if multiple security associations exist for your customer gateway, see the [Troubleshooting your customer gateway device](https://docs.aws.amazon.com/vpc/latest/adminguide/Troubleshooting.html).


[Configure your customer gateway](https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-configure-customer-gateway-device) to allow any network behind the customer gateway (0.0.0.0/0) with a destination of your VPC Classless Inter-Domain Routing (CIDR) to pass through the VPN tunnel. This configuration uses a single security association, which improves tunnel stability. This configuration also allows networks that aren't defined in the policy to access the VPC.


If possible, implement a traffic filter on your customer gateway to block unwanted traffic to your VPC. [Configure security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#creating-security-groups) to specify what traffic can reach your instances. Also configure [network access control lists (network ACLs)](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) to block unwanted traffic to subnets.





---




 Related information
--------------------



[Why is IKE (phase 1 of my VPN tunnel) failing in Amazon VPC?](https://repost.aws/knowledge-center/vpn-tunnel-phase-1-ike)


[Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?](https://repost.aws/knowledge-center/vpn-tunnel-phase-2-ipsec)







I'm using a policy-based virtual private network (VPN) to connect to my AWS Virtual Private Network (AWS VPN) endpoint in Amazon Virtual Private Cloud (Amazon VPC). I'm experiencing problems, such as packet loss, intermittent or no connectivity, and general network instability, and want to troubleshoot these issues.

Troubleshoot connection problems for AWS VPNs

How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

Networking & Content Delivery

Why can't I connect to a peered VPC when using an AWS Site-to-Site VPN connection that terminates on a virtual private gateway?

How do I delete or terminate a Client VPN endpoint or connection on AWS Client VPN?

How do I troubleshoot VPN tunnel connectivity to an Amazon VPC?

How do I create a backup VPN for my AWS Site-to-Site VPN connection?

How do I set up an IPsec VPN between a virtual pfSense router and an AWS managed VPN endpoint with static routing?

Connecting a Linux box to AWS-VPN using OKTA Authentication/Authorization

Intermittent issues connecting from a AWS Client VPN to a VPC Peering connection?

Enterprise VPN Client needed to connect to AWS Client VPN Endpoint

AWS Site-to-Site VPN connection

VPN connection between on-premises and AWS

How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

Short description

Resolution

Related information

Relevant content