Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
Why did I get a notification that the tunnel endpoints for my AWS VPN Site-to-Site connection are being replaced?
I want to know why I received a notification in my Health Dashboard that AWS replaced an endpoint for my AWS Site-to-Site VPN connection.
Resolution
AWS Site-to-Site VPN replaces one or both of your tunnel endpoints for the following reasons:
- You use the AWS Management Console, AWS Command Line Interface (AWS CLI), or SDK to modify components of your Site-to-Site VPN connection.
- AWS performs maintenance on your Site-to-Site VPN connection.
Note: AWS Site-to-Site VPN updates one of your tunnels at a time. When Site-to-Site VPN replaces your tunnel endpoint, your endpoint's outside IP address doesn't change.
When AWS Site-to-Site VPN replaces a tunnel endpoint, Health Dashboard and the primary email that's associated with your AWS account receive a notification.
If a tunnel is in the UP status when Site-to-Site VPN replaces the tunnel, then its status changes to DOWN. The tunnel remains in the DOWN status until AWS or your customer gateway device initiates an Internet Key Exchange (IKE) negotiation. If you configured your tunnel to use IKEv2 and its start-up action is Start, then AWS initiates IKE negotiation. If you configured your tunnel with IKEv1 and its startup action is Add, then the tunnel remains DOWN after AWS Site-to-Site VPN replaces the endpoint. It remains down until the customer gateway device initiates an IKE negotiation.
Configure two VPN tunnels
To avoid traffic interruptions when AWS Site-to-Site VPN replaces your tunnels, be sure to configure two tunnels. For more information, see Redundancy.
Important: It's a best practice to use dynamic routing, also known as Border Gateway Protocol (BGP), instead of static routing. For more information, see Static and dynamic routing.
Check that your customer gateway device supports BGP. If your customer gateway device supports BGP, then configure your connection to use dynamic routing. If your device doesn't support BGP, then configure your connection to use static routing. Be sure to configure your static VPN to avoid asymmetric routing.
Add a contact for Health Dashboard notifications
To receive notifications from a different email address, update the alternate contacts for your AWS account.
Just a short question, the words "tunnel replacement" are a little bit confusing. Currently it is not possible to use an ElasticIP for the tunnels, so AWS is providing an "Outside IP address" for both tunnels during the initial Site-2-Site creation. Can someone confirm that these outside IP addresses do not change while the tunnels are being replaced? That would be fatal, because these IPs are configures on the customer side and if they simply change, the VPN will suddenly stop working.
A second question is about the "Tunnel endpoint lifecycle control" option. In my case this is currently off. Can you explain this option?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 6 months ago
- asked 2 years ago
- asked 4 months ago
- AWS OFFICIALUpdated 2 years ago
