How can I troubleshoot issues with Accelerated VPN?

2 minute read

How can I troubleshoot issues with AWS Accelerated VPN?

Resolution

Confirm that your firewall configuration meets all requirements

For more information, see Configuring a firewall between the internet and your customer gateway device.

Confirm that NAT-traversal is activated on the customer gateway device

NAT-traversal (NAT-T) is required for an Accelerated VPN connection. NAT-T is activated by default. If you downloaded a configuration file from the Amazon Virtual Private Cloud (Amazon VPC) console, check the NAT-T setting and start it if necessary.

Note: If NAT-T is deactivated on the customer gateway device the tunnel will still come up. However, in this scenario the issue could still persist for the data traffic.

For more information, see Your customer gateway device.

Confirm that lifetime parameters match

The IKE tunnel lifetime parameter must match what's set on your AWS Virtual Private Network (AWS VPN). By default, these settings are:

28,800 seconds (8 hours) for phase 1
3,600 seconds (1 hour) for phase 2

If necessary, change the AWS VPN parameters to match your IKE tunnel parameters.

Confirm the connection's compatibility with Global Accelerator (if applicable)

If your Site-to-Site VPN connection uses certificate-based authentication, it might not be compatible with AWS Global Accelerator. There's limited support for packet fragmentation in Global Accelerator. If you require an Accelerated VPN connection that uses certificate-based authentication, your customer gateway device must support IKE fragmentation. Otherwise, don't activate your VPN for acceleration. For more information, see How AWS Global Accelerator works.

Confirm that acceleration was configured in the proper sequence

Acceleration can't be activated or deactivated for an existing Site-to-Site VPN connection. Instead, create a new Site-to-Site VPN connection with acceleration activated or deactivated as needed. Then, configure your customer gateway device to use the new Site-to-Site VPN connection. Finally, delete the previous Site-to-Site VPN connection. For more information on Accelerated VPN restrictions, see Rules and restrictions.

Topics

Networking & Content Delivery

Relevant content

How Can I troubleshoot my AWS VPN endpoint that stopped working?
CJ
asked 5 months ago
AWS VPN Client DNS Resolution issues
rePost-User-7335854
asked 2 years ago
S2S VPN Configuration
rePost-User-4906584
asked 4 months ago
Seeking Assistance with DNS Hostname Resolution Issue in VPC Configuration.
Accepted Answer
Hoseok Han
asked 8 months ago
Cisco FTDv Firewall Initial Configuration issue with connectivity to AWS VPC
Accepted Answer
fersherls
asked 2 years ago
How can I build a dynamic routing based VPN using a Palo-Alto firewall and AWS VPN?
AWS OFFICIALUpdated a year ago
How can I configure dynamic routing-based AWS Site-To-Site VPN with a MikroTik router?
AWS OFFICIALUpdated a year ago
How do I troubleshoot Direct Connect and VPN failover issues?
AWS OFFICIALUpdated 10 months ago
How do I troubleshoot DNS resolution issues with Route 53 Resolver endpoints?
AWS OFFICIALUpdated a year ago
Configuration of Dynamic Routing (BGP) - Based AWS Site-to-Site VPN with MikroTik Router for Secure Data Transmission
EXPERT
Vinay Gugueoth
published 8 months ago