Why can't I connect to my on-premises network using an AWS Site-to-Site VPN?

4 minute read

I have an AWS Site-to-Site VPN connection between my on-premises network and AWS, but I can't connect to my on-premises resources.


Check the Site-to-Site VPN connection status

Verify that the Site-to-Site VPN connection is in the available state, and that the tunnels are up.

1.    Log in to the AWS Management Console.

2.    Under Virtual Private Network (VPN), choose Site-to-Site VPN Connections.

3.    If your connection is DOWN, then follow the troubleshooting steps for phase 1 failures and phase 2 failures to resolve the downtime error.

Note: Be aware that Border Gateway Protocol (BGP) based Site-to-Site VPN is UP only if BGP is also UP. If BGP is down, then your Site-to-Site VPN status is DOWN.

Check if your policy-based Site-to-Site VPN has more than one pair of security associations

Confirm if your customer gateway uses a policy-based Site-to-Site VPN connection to connect to a Site-to-Site VPN endpoint. AWS allows only a single pair of security associations. A single pair includes one inbound and one outbound security association. If a policy-based Site-to-Site VPN exceeds this limit, then existing connections are dropped when a new connection with different security associations initiates. Effectively, a new Site-to-Site VPN connection interrupts an existing one.

When you use a policy-based Site-to-Site VPN, it's a best practice to set the source address from your internal network as For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

Check the coverage of your encryption domain or traffic selector

Make sure that the encryption domain or traffic selector that you're using covers both the source and destination networks. Traffic is dropped if both the source and destination networks aren't covered.

Point the route table of your Amazon Elastic Compute Cloud (Amazon EC2) instance to virtual private gateway or transit gateway

The route table that's associated with your EC2 instance must have a route pointing to a virtual private gateway or transit gateway. If you're using a virtual private gateway, then you can turn on propagation.

You might be using a static Site-to-Site VPN that's attached to a transit gateway. Make sure that you've added a static route to the transit gateway Site-to-Site VPN attachment in your transit gateway table. For dynamic Site-to-Site VPN, make sure that you've turned on propagation. When an attachment is propagated to a transit gateway route table, then these routes are installed in the route table.

Check the security group and network ACL settings

Make sure that your instance's security group and network ACLs allow incoming traffic on the ports that you're trying to access. To check this, log in to the Amazon Virtual Private Cloud (Amazon VPC) console. Choose Security Groups or Network ACLs in the navigation pane, and then review your settings.

Check if you are using an Active/Active configuration

You might be using an Active/Active configuration. This means that both tunnels are up, and your Site-to-Site VPN terminates on a virtual private gateway or transit gateway with ECMP turned off. In this use case, AWS assigns one active tunnel as the preferred Site-to-Site VPN tunnel for sending traffic from AWS to the on-premises network. When you use Active/Active configurations, the customer gateway must have asymmetric routing activated on the virtual tunnel interfaces. For more information, see How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?

Additional troubleshooting

Complete these troubleshooting checks, depending on the type of Site-to-Site VPN you're using:

  • For BGP based Site-to-Site VPN, make sure that you're announcing the correct on-premises prefixes.

  • For static Site-to-Site VPN, make sure that you configured the correct static route for your Site-to-Site VPN. Log in to the Site-to-Site VPN console, and then under static routes check the target network of your Site-to-Site VPN.

  • For static Site-to-Site VPN, check your customer gateway device to make sure that you configured a static route pointing to the destination Amazon VPC CIDR.

  • For accelerated Site-to-Site VPN, check that NAT-T is turned on, and that traffic is using UDP 4500. This is required for traffic to flow. If NAT-T isn't turned on, then the tunnel comes up but no traffic passes.

    Note: Be aware of the rules for using an accelerated Site-to-Site VPN connection.

Related information

How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

AWS OFFICIALUpdated a year ago