My firewall implements a policy-based VPN, and I am experiencing intermittent connectivity issues to an AWS VPN endpoint. Some of the issues that occur include packet loss, intermittent or no connectivity, and general network instability.

When using a policy-based VPN configuration, AWS limits the number of security associations to a single pair (one inbound and one outbound). Policy-based VPNs that are configured with more than one security association will drop existing VPN tunnel connections when initiating a VPN tunnel connection that uses a different security association. This problem will be perceived as intermittent packet loss or connectivity failure as new VPN connections with one security association interrupt VPN tunnel connections established with a different security association.

Use one of the following methods to resolve this issue:

  • Limit the number of encryption domains (networks) that are allowed access to the virtual private cloud (VPC) and consolidate. If there are more than two encryption domains (networks) behind the customer gateway , consolidate them to use a single security association.
  • Configure the policy to allow "any" network (0.0.0.0/0) from behind the customer gateway to the VPC CIDR. Essentially, this allows any network behind the customer gateway with a destination of the AWS VPC to pass through the tunnel, which will only create a single security association. This improves stability of the tunnel and allows future networks not defined in the policy to have access to the AWS VPC. This is the generally recommended best approach to resolve this issue.

Note
When possible, implement a traffic filter on the customer gateway to block unwanted traffic to the VPC. You can also configure security groups to specify the traffic that can reach your instances, and network access control lists (NACLs) to block unwanted traffic to your subnets.

AWS, VPN, VPC, tunnel drop, connect, packet loss, tunnel instability, troubleshoot


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2015-11-19