I'm having trouble establishing and maintaining a VPN connection to my AWS infrastructure within an Amazon VPC.

The Amazon Virtual Private Cloud (VPC) network model supports industry standard, encrypted IPsec virtual private network (VPN) connections to an AWS infrastructure. VPN tunnel connectivity to an Amazon VPC is subject to numerous factors, including:

  • VPN tunnel Internet Key Exchange (IKE) configuration
  • VPN tunnel Internet Protocol security (IPsec) configuration
  • Network access control list (NACL) configuration
  • Amazon VPC security group rules configuration
  • Amazon EC2 instance network routing table configuration
  • Amazon EC2 instance firewall configuration
  • VPN gateway configuration
  • VPN tunnel redundancy configuration

Follow these steps to troubleshoot VPN tunnel connectivity to an Amazon VPC:

The steps to resolve a failure in establishing the VPN tunnel are determined based on which phase the failure occurred:

If both VPN tunnels are established, follow these steps:

  1. Use the Amazon EC2 console or command line to ensure that there are no network access control lists (NACLs) in your Amazon VPC that affect the ability of the attached VPN to establish network connectivity. For more information, see Working with Network ACLs.
  2. Follow steps at Update Your Security Group to Enable Inbound SSH, RDP and ICMP Access.
  3. Use the Amazon EC2 console or command line to verify that the route tables specified in your Amazon EC2 instances are correct. For more information, see Working with Route Tables and API and Command Overview.
  4. Verify that there are no firewalls blocking traffic to the Amazon EC2 instances inside the VPC:

For an Amazon EC2 instance of Windows, start a command prompt and run the command WF.msc.

For an Amazon EC2 instance of Linux, open a terminal session and run the iptables command with appropriate arguments. For detailed information about the iptables command, run the command man iptables.

If your customer gateway device implements a policy-based VPN, note that AWS accepts only two security associations, one egress and one ingress. Therefore, when using a policy-based VPN it is recommended to set up the source address from your internal network as "0.0.0.0/0" and the destination addresses as the VPC subnet (for example, 172.31.0.0/16). This will ensure that all traffic to the VPC traverses the VPN without creating additional security associations. In the case of Cisco ASA devices, SLA monitoring should be enabled. For more information about enabling SLA monitoring for Cisco ASA devices, see Troubleshooting Cisco ASA Customer Gateway Connectivity.

Run the traceroute utility from a terminal session (Linux) or the tracert utility from a command prompt (Windows). These utilities should be run from your internal network to an EC2 instance in the VPC that the VPN is connected to.

  • If the traceroute or tracert output stops at an IP address associated with the internal network, verify that the routing path to the VPN edge device is correct.
  • If you can verify that traffic from your internal network is reaching your customer gateway device but fails to reach the EC2 instance, verify the VPN configuration, policies, and NAT settings on your VPN customer gateway (CGW). Also verify that upstream devices, if any, are also allowing traffic flow.

If the Border Gateway Protocol is down, ensure that you have defined the BGP Autonomous System Number (ASN) that you used when you created the customer gateway from the AWS VPC console or by using the API. The AWS ASN associated with your customer gateway is included with the downloadable VPN configuration properties.

You can use an existing ASN that is already assigned to your network. If an ASN is not assigned, you can use a private ASN (in the 64512–65534 range). The ASN configured must match the one that you provided when creating the VPN on the AWS side. Also make sure that any local firewall configuration on the customer gateway allows BGP traffic to pass through to AWS. For more information about troubleshooting gateway connectivity, see the Troubleshooting section in the Amazon Virtual Private Cloud Network Administrator Guide.

AWS Trusted Advisor provides the VPN Tunnel Redundancy check, which should be incorporated into your monitoring solutions when possible. For more information about Trusted Advisor, see Meet AWS Trusted Advisor.

If you have a paid support plan, you can open a technical support case. AWS Support needs the following information and resources to help troubleshoot VPC/VPN issues:

  • A contact with administrative access to both your on-premises networking equipment and your VPC resources.
  • The physical device make and model that your are using to establish the connection, including the firmware version running on the device.
  • The Amazon identifiers for the virtual private cloud, virtual private gateway, and VPN (such as vpc-XXXXXXXX, vgw-XXXXXXXX, and vpn-XXXXXXXX, respectively).
  • Access to the running configuration of your VPN device and access to the configuration that was created by the AWS console when the VPN tunnel(s) were created.
  • Knowledge of the VPN's connectivity history.
  • An IP address associated with an Amazon EC2 instance or other resource that resides inside the VPC that the VPN tunnel is associated with for testing purposes.
  • The source IP address on the LAN from which you are attempting to initiate the VPN connection to your AWS VPC. 

AWS, VPN, VPC, tunnel, connect, IKE, IPsec, BGP, ASN, troubleshoot


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2015-04-28
Updated: 2016-08-24