Preet explains timeout values
for VPN tunnels

vpn-tunnel-instability-inactivity-preet

How do I troubleshoot VPN tunnel inactivity or instability issues for my network device?

Dead Peer Detection (DPD) and keep-alive are UDP 500 or 4500 packets exchanged between VPN peers to check if the other peer is available and accepting traffic.

AWS uses an on-demand DPD mechanism; if AWS receives no traffic from a VPN peer for 10 seconds, AWS sends a DPD “R-U-THERE” message, expecting an “R-U-THERE-ACK” response from the VPN peer. If the VPN peer does not respond to three successive DPDs, the VPN peer is considered dead and AWS closes the tunnel. Unacknowledged DPDs can indicate an idle tunnel and could result in the tunnel being torn down by either side.

Some network devices tear down a VPN tunnel after a few minutes of inactivity, even if DPD messages are successfully acknowledged.

To resolve this, ensure constant bidirectional traffic between your local network and VPC.

Consider setting up a host that sends one ICMP requests every 5 seconds to an instance in the VPC that responds to ICMP. This allows for the tunnel to stay up as it responds to the ICMP requests and ensures that there are packets being encrypted and decrypted across the tunnel.

For more information about configuring vendor-specific network devices, see the AWS VPC Network Administrator Guide.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-12-12