How do I use the AWSSupport-TroubleshootVPN runbook to resolve AWS Site-to-Site VPN issues?

4 minute read

I want to use the AWSSupport-TroubleshootVPN runbook to resolve IKEv1 and IKEv2 errors in the AWS Site-to-Site Virtual Private Network (VPN) connection.

Short description

The AWSSupport-TroubleshootVPN runbook includes several automated checks for tracing IKEv1 or IKEv2 errors related to VPN tunnels in your AWS Site-to-Site VPN connection. After locating the error, the automation outputs the matched error and its corresponding resolution.
Note: This automation doesn't fix the errors. It runs for the set time range and scans the Amazon CloudWatch Logs group for errors.

The runbook runs a parameter validation to confirm the following:

The Amazon CloudWatch Logs group included in the input parameter exists.
There's a log stream in the log group that corresponds to the VPN tunnel logging.
The VPN connection ID exists.
The Tunnel IP address exists.

The automation makes CloudWatch Logs Insights API calls on your CloudWatch Logs group that's configured for VPN logging.
Note: You can find the pricing related to CloudWatch Logs Insights in Amazon CloudWatch pricing.

Resolution

Note: This automation works on the CloudWatch log group that's configured for your VPN tunnel logging, when the logging output format is JSON.

Prerequisites

Make sure that you activated logging for your VPN connections.
Before you begin, make sure that your AWS Identity and Access Management (IAM) user or role has these required IAM permissions:
logs:DescribeLogGroups
logs:GetQueryResults
logs:DescribeLogStreams
logs:StartQuery (can be scoped to a specific log group)
ec2:DescribeVpnConnections

Set up the automation workflow

Follow these steps to configure the automation workflow:

Navigate to the AWS Systems Manager console.
In the navigation pane, choose Documents.
In the search bar, enter the following: AWSSupport-TroubleshootVPN.
Choose AWSSupport-TroubleshootVPN.
Choose Execute automation.
For the input parameters, enter the following:
- AutomationAssumeRole (optional) The Amazon Resource Name (ARN) of the IAM role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, then Systems Manager Automation uses the permissions of the user that starts this runbook.
- LogGroupName (required): The Amazon CloudWatch log group name to be validated. This must be the CloudWatch Logs group that is configured for VPN to send logs to.
- VpnConnectionId (required): The AWS Site-to-Site VPN connection ID whose log group is traced for VPN error.
- TunnelAIPAddress (required): The tunnel A IP address associated with your AWS Site-to-Site VPN connection.
- TunnelBIPAddress(optional): The tunnel B IP address associated with your AWS Site-to-Site VPN connection.
- IKEVersion (required): Select what IKE version that you are using. Allowed values: IKEv1, IKEv2.
- StartTimeinEpoch (optional): The beginning of the time range to query for error. The range is inclusive, so the specified start time is included in the query. Specified as epoch time, the number of seconds since January 1, 1970, 00:00:00 UTC.
- EndTimeinEpoch (optional): The end of the time range to query for errors. The range is inclusive, so the specified end time is included in the query. Specified as epoch time, the number of seconds since January 1, 1970, 00:00:00 UTC.
- LookBackPeriod (optional): Time in hours to look back to query for error.
  
  Note: If you choose the time window for error tracing, use either StartTimeinEpoch and EndTimeinEpoch, or LookBackPeriod.
  
  If you choose StartTimeinEpoch, EndTimeinEpoch, and LookBackPeriod, then LookBackPeriod takes precedence.
  
  For LookBackPeriod, give a two-digit number from 01 to 99 in hours to check for errors from the automation's start time. Or, if the error is in the past within a specific time range, include StartTimeinEpoch and EndTimeinEpoch, instead of LookBackPeriod.
Choose Execute. Note that the automation workflow is now running.
When done, review the Outputs section in the Systems Manager console for detailed results. The output lists each error with its resolution and the total number of the unique errors logged.

Related information

Run an automation
Setting up Automation
Systems Manager Automation runbook reference

Topics

End User Computing Networking & Content Delivery

Relevant content

Can I use SSM Automation runbook with awscli or something different?
Yurii
asked 2 years ago
SSM Runbook Fails
Aref
asked a month ago
SSM Runbooks and their BASH integration
rePost-User-2486591
asked a year ago
handling output of runbook in ssm
Aref
asked 2 months ago
Runbook fails at initialization without further information
AWS-User-A862173
asked 2 years ago
How do I use the AWSSupport-TroubleshootRDSIAMAuthentication runbook to diagnose Amazon RDS DB authentication issues?
AWS OFFICIALUpdated 7 months ago
How do I use the AWSSupport-TroubleshootRDP runbook to troubleshoot RDP-related issues on a target managed Windows instance?
AWS OFFICIALUpdated 8 months ago
How do I use the "AWSSupport-AnalyzeEBSResourceUsage" Automation runbook to analyze Amazon EBS resource usage?
AWS OFFICIALUpdated 5 months ago
How do I use the AWSSupport-CalculateEBSPerformanceMetrics runbook to diagnose Amazon EBS performance issues?
AWS OFFICIALUpdated 3 months ago
Troubleshoot AWS Site-to-Site VPN IKEv1 and IKEv2 errors using AWSSupport-TroubleshootVPN runbook.
EXPERT
Narinder Singh Kharbanda
published 3 months ago