How can I troubleshoot issues with Accelerated VPN?
Last updated: 2022-05-12
How can I troubleshoot issues with AWS Accelerated VPN?
Confirm that your firewall configuration meets all requirements
For more information, see Configuring a firewall between the internet and your customer gateway device.
Confirm that NAT-traversal is activated on the customer gateway device
NAT-traversal (NAT-T) is required for an Accelerated VPN connection. NAT-T is activated by default. If you downloaded a configuration file from the Amazon Virtual Private Cloud (Amazon VPC) console, check the NAT-T setting and start it if necessary.
Note: If NAT-T is deactivated on the customer gateway device the tunnel will still come up. However, in this scenario the issue could still persist for the data traffic.
For more information, see Your customer gateway device.
Confirm that lifetime parameters match
The IKE tunnel lifetime parameter must match what's set on your AWS Virtual Private Network (AWS VPN). By default, these settings are:
- 28,800 seconds (8 hours) for phase 1
- 3,600 seconds (1 hour) for phase 2
If necessary, change the AWS VPN parameters to match your IKE tunnel parameters.
Confirm the connection's compatibility with Global Accelerator (if applicable)
If your Site-to-Site VPN connection uses certificate-based authentication, it might not be compatible with AWS Global Accelerator. There's limited support for packet fragmentation in Global Accelerator. If you require an Accelerated VPN connection that uses certificate-based authentication, your customer gateway device must support IKE fragmentation. Otherwise, don't activate your VPN for acceleration. For more information, see How AWS Global Accelerator works.
Confirm that acceleration was configured in the proper sequence
Acceleration can't be activated or deactivated for an existing Site-to-Site VPN connection. Instead, create a new Site-to-Site VPN connection with acceleration activated or deactivated as needed. Then, configure your customer gateway device to use the new Site-to-Site VPN connection. Finally, delete the previous Site-to-Site VPN connection. For more information on Accelerated VPN restrictions, see Rules and restrictions.