Why is my AWS Site-to-Site VPN down?

3 minute read

I want to troubleshoot why my AWS Site-to-Site VPN failed to establish a successful connection with my on-premises gateway.


When the virtual private network (VPN) tunnel fails to establish connection on a customer gateway device or AWS, check the following configurations:

  • You correctly configured the remote peer IP address on the customer gateway device. It must correspond to the outside public IP address of the VPN endpoints. For more information, see Modify Site-to-Site VPN tunnel options.
  • You correctly configured the outside public IP address on AWS. It must correspond to the public IP address of the WAN interface of the customer gateway device. If you use a network address translation (NAT) device, then the outside public IP address on AWS must correspond to the device's public IP address. 
  • There's connectivity between the AWS VPN endpoint and the customer gateway device. Ping the AWS VPN endpoint outside public IP addresses from the customer gateway device.
  • The firewall policy allows outbound and inbound traffic on UDP port 500 to and from AWS VPN endpoints. If the customer gateway is behind a NAT device, then this policy also applies to outbound and inbound traffic on UDP 4500.
  • If you use NAT traversal (NAT-T), then check that the intermediate internet service providers (ISPs) aren't blocking UDP port 500 or port 4500.
  • The configured Internet Key Exchange (IKE) versions are the same on both the AWS end and the customer gateway device.
  • Phase 1 and phase 2 parameters match on the customer gateway as compared to AWS. For more information, see Tunnel options for your Site-to-Site VPN connections. Download a sample configuration from the AWS Management Console. Choose VPC, and then choose VPN. Choose Site-to-Site VPN connections, and then choose Download configuration.
  • Review the AWS Site-to-Site VPN logs.
  • If the VPN connection authenticates with a pre-shared key, then the shared secret key is the same on AWS and the customer gateway device.
  • If the VPN connection is a certificate-based VPN, then verify that the customer gateway has valid and correct certificates. The certificates must include the private certificate, root CA certificate, and subordinate CA certificate.
  • The startup action is set to Start and has a certificate-based VPN. Make sure that the customer gateway has the public IP address defined on the customer gateway construct on the AWS end.
    Note: In this setup, AWS doesn't initiate IKE negotiations or rekeys. Instead, the customer gateway initiates the IKE negotiations and rekeys. For more information, see Rules and restrictions.
  • For an accelerated VPN with certificate-based authentication, make sure that your customer gateway supports IKE fragmentation. This is because AWS Global Accelerator has limited support for packet fragmentation, leading to IKE negotiation failures.
  • For a dynamic VPN, verify that both IPsec and Border Gateway Protocol (BGP) are in the UP status.
  • Generate interesting traffic to bring up the VPN tunnel.
AWS OFFICIALUpdated a year ago