How do I troubleshoot VPN tunnel inactivity or instability on my customer gateway device?
Last updated: 2019-06-20
I'm having inactivity or instability issues with virtual private network (VPN) tunnels on my network device. How do I troubleshoot this in Amazon Virtual Private Cloud (Amazon VPC)?
Common reasons for VPN tunnel inactivity or instability on a customer gateway device include:
- Problems with Internet Protocol Security (IPsec) dead peer detection (DPD) monitoring
- Idle timeouts due to low traffic on a VPN tunnel or vendor-specific customer gateway device configuration issues
Check DPD settings
If a VPN peer doesn't respond to three successive DPDs, the peer is considered dead and the tunnel is closed.
If your customer gateway device has DPD enabled, be sure that:
- It's configured to receive and respond to DPD messages.
- It isn't too busy to respond to DPD messages from AWS peers.
- It isn't rate limiting DPD messages due to IPS features enabled in the firewall.
Troubleshoot idle timeouts
If you're experiencing idle timeouts due to low traffic on a VPN tunnel:
- Be sure that there's constant bidirectional traffic between your local network and your VPC. If necessary, create a host that sends ICMP requests to an instance in your VPC every 5 seconds.
- Review your VPN device's idle timeout settings using information from your device's vendor. When there's no traffic through a VPN tunnel for the duration of your vendor-specific VPN idle time, the IPsec session terminates. Be sure to follow vendor-specific configuration guidelines.