I can't establish or maintain a virtual private network (VPN) connection to my Amazon Virtual Private Cloud (Amazon VPC).
Problems establishing a VPN connection can happen due to the configuration of:
- Internet Key Exchange (IKE)
- Internet Protocol security (IPsec)
Problems maintaining a VPN connection can happen due to the configuration of:
- Network access control lists (network ACLs)
- VPC security group rules
- Amazon Elastic Compute Cloud (Amazon EC2) instance network routing tables
- Amazon EC2 instance firewalls
- Virtual private gateways
- VPN tunnel redundancy
Problems establishing a VPN connection
- If the problem occurs during phase 1, see steps for troubleshooting IKE-related failures.
- If the problem occurs during phase 2, see steps for troubleshooting IPsec-related failures.
Problems maintaining a VPN connection
If you successfully establish both VPN tunnels but still experience connectivity issues, then:
- Check for network ACLs in your VPC that prevent the attached VPN from establishing a connection.
- Verify that the security group rules assigned to the EC2 instances in your VPC allow appropriate access. Be sure to allow inbound SSH, RDP, and ICMP access. For more information, see Amazon EC2 Security Groups for Linux Instances or Amazon EC2 Security Groups for Windows Instances.
- Verify that the route tables attached to your VPC are properly configured.
- Check for operating system-level (OS-level) firewalls that block traffic to EC2 instances inside your VPC.
For EC2 Windows instances, run WF.msc in Command Prompt.
For EC2 Linux instances, run iptables in a terminal session with the appropriate arguments. For more detailed information, run man iptables.
Note: AWS accepts only a single pair of security associations for a VPN connection (one inbound and one outbound association). If your customer gateway device uses a policy-based VPN, configure your internal network as the source address (0.0.0.0/0) and the VPC subnet as the destination address. This configuration allows traffic to the VPC to traverse the VPN without creating additional security associations.
A VPN tunnel comes up when traffic is generated from the customer gateway side of the VPN connection. The virtual private gateway side is not the initiator. If your VPN connection experiences a period of idle time (usually 10 seconds, depending on your customer gateway configuration), the tunnel might go down. To prevent this problem, use a network monitoring tool to generate keepalive pings. For example, for Cisco ASA devices, enable SLA monitoring.
If you rule out your VPC configuration and EC2 instance connectivity as possible root causes, then:
- Open a terminal session (Linux) or Command Prompt (Windows).
- Run the traceroute (Linux) or tracert (Windows) utility from your internal network to an EC2 instance in the VPC that your VPN is attached to.
- If the output stops at an IP address associated with your internal network, verify that the routing path to your VPN edge device is correct.
- If the output reaches your customer gateway device but not your EC2 instance, check your VPN customer gateway device settings. Verify that your VPN configuration, policies and network address translation (NAT) settings are correct. Also verify that any upstream devices allow traffic flow.
If the Border Gateway Protocol (BGP) used within your VPN tunnel is down, then:
- Verify that you defined the BGP Autonomous System Number (ASN) when you created your customer gateway. The customer gateway ASN is included in your downloadable VPN configuration.
- If needed, update your customer gateway with the correct ASN. The ASN must match the ASN you provided during VPN configuration. The ASN is either an existing ASN assigned to your network or a private ASN in the 64512–65534 range.
- Verify that any local firewall configurations on your customer gateway allow BGP traffic to pass through to AWS. For more information, see the device-specific troubleshooting guides.
If possible, use AWS Trusted Advisor's VPN tunnel redundancy check in your monitoring activities:
- Sign in to the Trusted Advisor console.
- On the navigation pane under Dashboard, choose Fault Tolerance.
- In the content pane, select VPN Tunnel Redundancy from the list of Fault Tolerance Checks.
- Choose the download icon to download the results of this check.
Before performing further troubleshooting steps, be sure to collect the following information:
- A contact with administrative access to your on-premises networking equipment and VPC resources.
- The make and model of the physical device you're using to establish the VPN connection, including the firmware version.
- Identifiers for your VPC (vpc-XXXXXXXX), virtual private gateway (vgw-XXXXXXXX), and VPN (vpn-XXXXXXXX).
- Access to your VPN device's current configuration and the configuration created by the AWS console when the VPN tunnels were created.
- Details about the VPN's connectivity history
- The IP address of an EC2 instance or other resource inside the VPC for testing purposes.
- The source IP address of the local area network (LAN) that you're trying to initiate your VPN connection from.