How do I troubleshoot VPN tunnel inactivity or instability on my customer gateway device?

Last updated: 2019-06-20

I'm having inactivity or instability issues with virtual private network (VPN) tunnels on my network device. How do I troubleshoot this in Amazon Virtual Private Cloud (Amazon VPC)?

Short Description

Common reasons for VPN tunnel inactivity or instability on a customer gateway device include:

Resolution

Check DPD settings

If a VPN peer doesn't respond to three successive DPDs, the peer is considered dead and the tunnel is closed.

If your customer gateway device has DPD enabled, be sure that:

  • It's configured to receive and respond to DPD messages.
  • It isn't too busy to respond to DPD messages from AWS peers.
  • It isn't rate limiting DPD messages due to IPS features enabled in the firewall.

Troubleshoot idle timeouts

If you're experiencing idle timeouts due to low traffic on a VPN tunnel:

  • Be sure that there's constant bidirectional traffic between your local network and your VPC. If necessary, create a host that sends ICMP requests to an instance in your VPC every 5 seconds.
  • Review your VPN device's idle timeout settings using information from your device's vendor. When there's no traffic through a VPN tunnel for the duration of your vendor-specific VPN idle time, the IPsec session terminates. Be sure to follow vendor-specific configuration guidelines.