How can I troubleshoot issues with Accelerated VPN?

Last updated: 2021-01-27

How can I troubleshoot issues with AWS Accelerated VPN?

Resolution

Confirm that your firewall configuration meets all requirements

Confirm that NAT-traversal is enabled

NAT-traversal (NAT-T) is required for an Accelerated VPN connection. NAT-T is enabled by default. If you downloaded a configuration file from the Amazon Virtual Private Cloud (Amazon VPC) console, check the NAT-T setting and enable it if necessary.

Confirm that lifetime parameters match

The IKE tunnel lifetime parameter must match what's set on your AWS Virtual Private Network (AWS VPN). By default, these settings are:

  • 28,800 seconds (8 hours) for phase 1
  • 3,600 seconds (1 hour) for phase 2

If necessary, change the AWS VPN parameters to match your IKE tunnel parameters.

Confirm the connection's compatibility with Global Accelerator (if applicable)

If your Site-to-Site VPN connection uses certificate-based authentication, it might not be compatible with AWS Global Accelerator. There's limited support for packet fragmentation in Global Accelerator. If you require an Accelerated VPN connection that uses certificate-based authentication, your customer gateway device must support IKE fragmentation. Otherwise, don't enable your VPN for acceleration. For more information, see How AWS Global Accelerator works.

Confirm that acceleration was configured in the proper sequence

Acceleration can't be enabled or disabled for an existing Site-to-Site VPN connection. Instead, create a new Site-to-Site VPN connection with acceleration enabled or disabled as needed. Then, configure your customer gateway device to use the new Site-to-Site VPN connection. Finally, delete the previous Site-to-Site VPN connection. For more information on Accelerated VPN restrictions, see Rules and restrictions.


Did this article help?


Do you need billing or technical support?