Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

2 minute read

My policy-based virtual private network (VPN) doesn't connect to my AWS VPN endpoint in Amazon Virtual Private Cloud (Amazon VPC). I want to troubleshoot problems, such as packet loss, intermittent or no connectivity, or general network instability.

Short description

AWS VPN supports one inbound and one outbound security association at a time. If a policy-based VPN on the customer gateway device that connects to an endpoint has more than one pair of security associations, then new connections with different associations cause previous connections to drop.

Resolution

To troubleshoot connection problems between a VPN endpoint and a policy-based VPN, complete the following actions:

Limit the encryption domains

Review the current encryption domains that access your VPC. For more information, see Modify Site-to-Site VPN connection options.
Verify that each encryption domain on the customer gateway device has only one pair of inbound and outbound security associations. For more information, see Your customer gateway device.

Use the AWS Management Console to modify the VPN connection

Configure your customer gateway to set the Local IPv4 Network's Classless Inter-Domain Routing (CIDR) to:
```
0.0.0.0/0
```
Set the remote IPv4 Network's CIDR to:
```
0.0.0.0/0
```

Match the configuration on the customer gateway device

Set the local subnet to:
```
0.0.0.0/0
```
Set the remote subnet to:
```
0.0.0.0/0
```
If 0.0.0.0/0 isn't supported, then use the specific ranges that correspond with your use case on both sides of the connection. See the following example values:

VPC
```
10.34.0.0/16
```
On-premises
```
172.16.0.0/16
```

Route summarization for multiple subnets

Use a wider subnet that encompasses all the smaller subnets on the customer gateway.

Turn on traffic filters

Configure security groups to block unwanted traffic on the customer gateway.
Define network access control lists (network ACLs) to control traffic to your subnets.
If the customer gateway supports traffic filters, then set filters on the device to allow only required traffic to and from the VPC.

Related information

Why is IKE (phase 1 of my VPN tunnel) failing in Amazon VPC?

Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?

Topics

Networking & Content Delivery

Relevant content

Troubleshooting Intermittent Connection Loss Between AWS VPN Client and EC2 Instance in a VPC
Tatev
asked 4 months ago
Client VPN connection problems to instances with Elastic IPs after upgrading to AWS VPN Client v5.0.0
Accepted Answer
J_N__
asked 4 months ago
How Can I troubleshoot my AWS VPN endpoint that stopped working?
CJ
asked 2 years ago
Troubleshooting Client VPN Setup: Addressing Connectivity Issues and Seeking Guidance
Accepted Answer
Hoseok Han
asked 2 years ago
AWS Client VPN connection problem with RDS in same VPC
Joon
asked a year ago
How do I troubleshoot intermittent connectivity issues with Amazon VPC when I'm using Site-to-Site VPN?
AWS OFFICIALUpdated 6 months ago
How do I troubleshoot Site-to-Site VPN tunnel inactivity, tunnel flapping, or tunnel down on my customer gateway device?
AWS OFFICIALUpdated 6 months ago
Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?
AWS OFFICIALUpdated 9 months ago
How do I troubleshoot BGP connection issues over VPN?
AWS OFFICIALUpdated 8 months ago
Setup: IPSec VPN between Virtual PfSense Router and AWS managed VPN endpoint with static routing
EXPERT
Vinay Gugueoth
published 2 years ago