How do I troubleshoot Amazon VPC Traffic Mirroring issues?

Short description

The following are common reasons for Traffic Mirroring issues:

• Traffic mirror source and target connectivity issues
• Mirrored traffic not found on the target
• Network Load Balancer target issue
• Gateway Load Balancer target issue

Note: Make sure that you implemented the prerequisites for Traffic Mirroring. Use only supported resources as sources and targets, and follow the quotas and limitations for Traffic Mirroring. 

Resolution

Traffic mirror source and target connectivity issues

Traffic routing

Confirm that you're using a supported connectivity option and that there's connectivity between the traffic mirror source and target.

Use Reachability Analyzer to check the connectivity between the traffic mirror source and target.

Target security group and network ACL rules

Check the security group and network access control list (network ACL) rules on the mirror target. The security group of the mirror target must allow VXLAN traffic from the mirror source on port UDP 4789.

Note: If the mirror source inbound security group and inbound network ACL drops inbound traffic, then that traffic isn't mirrored.

Mirrored traffic not found on the target

You might not find mirrored traffic on the traffic mirror target because the packets were already mirrored, traffic congestion occurred, or the packets experienced microbursts.

Packets aren't mirrored on the target

You can configure multiple traffic mirror sessions on the same mirror source. However, each packet gets mirrored only once. If you have another session with filter rules that match, then already mirrored packets aren't mirrored again.

Dropped packets

Because production traffic has a higher priority than mirrored traffic, all mirror traffic is dropped when there's traffic congestion. 

Microbursts can also cause dropped data packets. Use Amazon CloudWatch metrics and Elastic Network Adapter (ENA) metrics to monitor mirrored traffic. For more information on microbursts and CloudWatch metrics, see Why is my Amazon EC2 instance exceeding its network limits when average utilization is low?

Note: Packets might also get truncated because of maximum transfer unit (MTU) value restrictions.

Network Load Balancer target issue

If you don't find traffic on a Network Load Balancer when you use the load balancer as a mirror target, then check the configuration.

• Make sure that access is allowed to UDP port 4789 for the Network Load Balancer.
• If all targets in a specific zone become unhealthy, then you must turn on cross-zone load balancing so that the traffic can be mirrored. There must also be a healthy target in another zone.

Gateway Load Balancer target issue

If you don't find traffic on a Gateway Load Balancer when you use the load balancer as a mirror target, then check the configuration.

• Make sure that the Gateway Load Balancer endpoint isn't in the pending-acceptance state.
• Make sure that the MTU value is less than 8500 bytes. The maximum supported MTU value for the Gateway Load Balancer is 8500.
• If all targets in a specific zone become unhealthy, then you must turn on cross-zone load balancing so that the traffic can be mirrored. There must also be a healthy target in another zone.

Related information

How do I view traffic passing through an Amazon Route 53 resolver outbound endpoint?