By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

3rd Site-to-Site VPN added, stopped traffic on the other 2 S2S VPNs

0

I have a single VPC and sing VGW. I have two active S2S VPNs, each going to different subnets on the client side. They both connect to "subnet a" in AWS. This works fine. I tried to add a 3rd S2S VPN, that tunnels one IP address on a new client and one IP address in the same "subnet a" in AWS. As soon as this 3rd VPN comes up, the other 2 VPNs stop passing traffic.

I suspect that this is a routing issue. Though I would have expected typical routing behavior to prevail: Where if the most specific route doesnt apply, it moves on to the next. I must be missing something simple here! Thanks in advance for any guidance.

Edit: All three are static route based VPNS

  • Tushar_J EXPERT
    a year ago

    Are you using Policy based VPN or route based VPN?

  • RallyImprezive
    a year ago

    Thanks for taking the time to review my question Tushar_J. All 3 are static route based.

Topics
Networking & Content Delivery
Tags
AWS Virtual Private Network (VPN)
Language
English
RallyImprezive
asked a year ago365 views
1 Answer
1

You shouldnt have overlapping static routes with multiple VPN tunnels terminating on same VGW.

You will see weird behaviors like this and the AWS VPN tunnel selecting logic for Egressing out of VPC cannot be controlled in such scenarios This might be expected with the overlapping static routes you have in place.

Is there a reason why you have Overlapping network routes routed via Different Tunnels in the first place ? Maybe it will help if you can clearly specify the routes added via Each of the Three VPNs. VPN-A: Static route ? VPN-B: Static route ? VPN-C: Static route ?

AWS
SUPPORT ENGINEER
SKKASHAN
answered a year ago
  • RallyImprezive
    a year ago

    SKKASHAN, thank you for taking the time to respond. Here are the routes. Please note that the local and remote network CIDR defined for the tunnel is the same as the static route.

    VPN A AWS Subnet: 172.31.30.0/24 with route to Remote Subnet 10.38.100.0/24

    VPNB AWS Subnet: 172.31.30.0/24 with route to Remote Subnet: 10.51.100.0/24

    VPNC (troublemaker) AWS Subnet: 172.31.30.110/32 with route to Remote Subnet: 10.200.10.41/32

    We have a subnet in AWS reserved for DataAnalytics, and those systems need to communicate with multiple remote sites to collect data. VPNA and VPNB go to our on-prem datacenters, and VPNC goes to a 3rd party remote site that we do not control. They only wanted to tunnel a single IP from their site for the sake of security.

    Any help is appreciated!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content