Preet explains timeout values
for VPN tunnels


How do I troubleshoot VPN tunnel inactivity or instability issues for my network device?

Dead Peer Detection (DPD) and keep-alive are UDP 500 or 4500 packets exchanged between VPN peers to check if the other peer is available and accepting traffic.

AWS VPN uses an on-demand DPD mechanism for peers that are not using NAT, and periodic DPDs for peers using NAT. If AWS receives no traffic from a VPN peer for 10 seconds, AWS sends a DPD "R-U-THERE" message, expecting an "R-U-THERE-ACK" response from the VPN peer. If the VPN peer does not respond to three successive DPDs, the VPN peer is considered dead and AWS closes the tunnel.

Another common reason for VPN tunnels to fail is due to the lack of interesting traffic on the tunnels. There is a vendor-specific VPN idle time for policy based VPN connections. If there is no traffic through the VPN tunnel for that duration, the IPsec session can be torn down.

For VPN tunnels failing due to DPD, verify that the customer gateway device responds to DPD messages (that is, UDP 500 and UDP 4500 packets) from AWS VPN endpoints. Make sure that the customer gateway device is not too busy to be unable to respond to the DPD R-U-THERE messages from the AWS peers, or rate limiting these packets due to IPS features enabled in the firewall.

For tunnels going down due to idle timeout, be sure there is constant bidirectional traffic between your local network and VPC.

Consider setting up a host that sends one ICMP requests every 5 seconds to an instance in the VPC that responds to ICMP. This allows the tunnel to stay up as it continues to respond to the ICMP requests, and makes sure that there are packets being encrypted and decrypted across the tunnel.

For more information about configuring vendor-specific network devices, see the AWS VPC Network Administrator Guide.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-12-12

Updated: 2017-12-20