I'm using a policy-based virtual private network (VPN) to connect to my AWS VPN endpoint in Amazon Virtual Private Cloud (Amazon VPC). I'm experiencing problems, such as packet loss, intermittent or no connectivity, and general network instability. How do I troubleshoot these issues?
When you use a policy-based VPN connection to connect to an AWS VPN endpoint, AWS limits the number of security associations to a single pair. The single pair includes one inbound and one outbound security association.
Policy-based VPNs with more than one pair of security associations drop existing connections when new connections are initiated with different security associations. This behavior might appear to indicate intermittent packet loss and other connectivity failures. However, this behavior indicates that a new VPN connection has interrupted an existing one.
Limit the number of encryption domains (networks) with access to your VPC. If you have more than two encryption domains behind your VPN's customer gateway, configure them to use a single security association. To check if multiple security associations exist for your customer gateway, see the customer gateway troubleshooting guide for device-specific instructions.
Configure your customer gateway to allow any network behind the customer gateway (0.0.0.0/0) with a destination of your VPC CIDR to pass through the VPN tunnel. This configuration uses a single security association, which improves tunnel stability. It also allows networks that are not defined in the policy to access the VPC.
If possible, implement a traffic filter on your customer gateway to block unwanted traffic to your VPC. Configure security groups to specify what traffic can reach your instances. Also configure network access control lists (network ACLs) to block unwanted traffic to subnets.