By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Site-To-Site VPN Tunnel Inside IPv4 CIDR IP Address Won't Ping

0

My Site-to-Site VPN Tunnel has an inside IP address of 69.254.44.121 which my Fortigate Customer Gateway, with inside IP address of 69.254.44.122, can't ping. Fortigate uses link-monitor to ping the AWS inside IP to verify connectivity when using dual tunnels. Is there a configuration for that inside IP that I'm missing such as a Security Group or NACL that will allow ICMP on the inside address?

Thanks Drew

Topics
Networking & Content Delivery
Tags
Amazon VPCNetworking & Content DeliveryAWS Client VPN
Language
English
Drew
asked a year ago1053 views
1 Answer
1
Accepted Answer

The AWS VPN Tunnel Inside IPv4 CIDR IP should be pingable, its essentially a P2P virtual tunnel interface.

I see a similar issue reported in this re:Post post but for PaloAlto you may want to check if Fortinet has a similar setting?

profile pictureAWS
EXPERT
Tushar_J
answered a year ago
  • Drew
    a year ago

    Thanks for the quick response and verifying that the IP should be pingable by default. I'll kick this back to the FortiGate administrator and have them check their side.

  • Tushar_J EXPERT
    a year ago

    One other question out of curiosity the default Inside tunnel IPv4 CIDR is from 169.254.0.0/16 range, if you don't specify AWS generates this randomly; you can then validate what /30 was generated by downloading the configuration file from the console. Reference: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html is there a reason you have chosen a different range for this? (69.254.44.121, 69.254.44.122)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content