VPN Tunnel Instability Between AWS and On-Premise Cisco FTD Firewall

Question

Hello everyone,

I'm currently facing an issue with the VPN connection established between AWS and our on-premise Cisco FTD Firewall. The VPN tunnel seems to go down suddenly, causing a disruption in connectivity.

Here are the key points of the problem:

* VPN Tunnel Status: While the VPN tunnel is up and running, our private subnet has access to the internet, and I'm able to connect to an EC2 instance via Systems Manager.
* Internet Access Issue: However, when the VPN tunnel goes down, it appears that there is no internet access. I'm unable to connect to the EC2 instance via Systems Manager during these downtimes.
* Startup Action Configuration: I have configured a "Startup action" on the AWS tunnel as "start" to address potential issues during the startup phase.

Our main concern is understanding why the VPN tunnel is not consistently up all the time. Any insights into the potential causes of this sudden disconnection would be highly appreciated.

Additionally, if anyone has encountered similar issues or has recommendations on troubleshooting steps, please feel free to share your experiences.

Thank you in advance for your assistance.

Answer

In order for the tunnel to say up - you need to make sure that you have correctly configured Dead Peer Detection between your firewall and AWS, and make sure that you have the phase one and phase two timers correctly configured (match on both sides).

For more details consider reading https://repost.aws/knowledge-center/vpn-tunnel-instability-inactivity which was written by AWS support, as it covers most of the reasons for tunnel instability.

Answer

Bullet point 2 is interesting. What do you mean by the internet goes down?

Site to site VPN is over the internet. Are you sure you do not have internet connection issues on prem?

VPN Tunnel Instability Between AWS and On-Premise Cisco FTD Firewall

Relevant content