By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

1 VPN Site to Site VPN tunnel only works from on premise to EC2, EC2 to on premises didn't works

0

Hi everyone We have setup Site to Site VPN from On-premises to AWS with 2 active tunnel. Currently, we are facing an issues:

  1. In Fortinet on premises, when setting route through primary tunnel
  • Server on premises ping EC2: OK
  • EC2 ping server onpremises: Fail. Traceroute stop at an IP 169.254 (I think it's an IP of VPN Gateway)
  1. In Fortinet on premises, when setting route through second tunnel
  • Server on premises ping EC2: OK
  • EC2 ping server onpremises: OK What happens with my first tunnel. Sometimes we receive notificaton from AWS about VPC redundancy loss (3 days ago too but in description mentions that Both tunnels are now operating normally.) How can I troubleshoot and config auto failover in Fortinet when a tunnel fails. Thank you so much for your advice
Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2Networking & Content DeliveryAWS Virtual Private Network (VPN)
Language
English
rePost-User-2684239
asked 10 months ago505 views
3 Answers
1

If you have both tunnels UP, then it's best to have BGP configured (not static) AND configure BGP attributes to have one tunnel as the primary and the second tunnel as the secondary, you can use AS path prepend and local preference to control which tunnel is the primary and which one is the secondary.

The above is to avoid asymmetric routing, and your issue seems to be asymmetric routing, can't be sure without providing more info.

You can verify that you have asymmetric routing by disabling one tunnel on the Fortinet and see if the traffic works, single tunnel will not cause asymmetric routing.

You can also look into CloudWatch TunnelDataIn & TunnelDataOut for both tunnels, you should be seeing TunnelDataIn & TunnelDataOut for the same tunnel to have the traffic spike, if you see TunnelDataIn on one tunnel high and TunnelDataOut on the other tunnel, then this is most likely asymmetric routing.

https://repost.aws/knowledge-center/vpn-avoid-asymmetry-static-routing

https://repost.aws/knowledge-center/vpn-configure-tunnel-preference

profile pictureAWS
Matt_E
answered 10 months ago
  • rePost-User-2684239
    10 months ago

    Thank you for your advice, I checked metrics in CloudWatch: DataIn and DataOut are equal in both tunnel, so I don't think it's asymmetric routing Can you explain to me why I can not ping from EC2 to onpremise when setting up routing through Primary tunnel in Fortinet - traffic block at AWS sided VPN Gateway base on traceroute result. As I understand, request traffic can not go through AWS side ? And can we change VPN from static to dynamic after creating?

  • Matt_E
    10 months ago

    You can enable VPC flow logs to make sure the traffic is leaving the EC2, and check the logs at the Fortinet to see if the traffic is reaching the Fortinet, and how it's been handled.

    Disable the secondary tunnel and see if the traffic flows.

  • rePost-User-2684239
    10 months ago

    After checking tracert again, I found an issues: Before going to IP 169.254.x.x - VPN Tunnel 1 IP, it routes to an IP 169.254.y.y - I dont know where is this IP Traffic through Tunnel 1 blocks at IP 169.254.y.y How can we troubleshoot this?

  • Matt_E
    10 months ago

    Those are the internal IP addresses of the tunnel, see below document and look for "Inside tunnel IPv4 CIDR"

    https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html

    Have you tried disabling one of the tunnels?

    Make sure of the routing is configured correctly at the Fortinet side to use both tunnels.

  • rePost-User-2684239
    10 months ago

    Thank you for your support, Today, I receive another noti from AWS about replacing one tunnel, which I can not use before. After that, both tunnel working correctly. And I want to mention one thing. If we trace route from EC2, before going to inside Tunnel IP, it will go through another IP and I was blocked at that IP. I think it is an IP of an other gateway of AWS, before Inside Tunnel IP

0

The fact that through the primary and secondary tunnels Onprem can ping EC2 means there no issues with your IPSEC tunnel or SA associations. Like Matt said, this is mostly a routing issue. In dual active scenarios you should be using BGP to avoid asymmetric routing experience and as well as to increase availability. Can you disable one tunnel and check the ping from EC2 to Onprem? if it works after disabling that should show you routing issue.

AWS
PK
answered 10 months ago
  • rePost-User-2684239
    10 months ago

    Thank you for your advice, I checked metrics in CloudWatch: DataIn and DataOut are equal in both tunnel, so I don't think it's asymmetric routing Can you explain to me why I can not ping from EC2 to onpremise when setting up routing through Primary tunnel in Fortinet ( and with secondary tunnel, it works well)? And can we change VPN from static to dynamic after creating?

0

A common cause of this is to have NAT enabled on the device that is terminating the on premises side of the VPN tunnel. It will allow traffic in one direction but stop in in the other unless static NAT configuration is performed. In this case (should this be true) I suspect the best way forward is to disable NAT on the VPN connections.

You can confirm this by doing a tcpdump on an EC2 instance; when you ping from on premises you won't see the original source IP address; you'll see the source as an IP address on the VPN termination device (in this case, the firewall).

profile pictureAWS
EXPERT
Brettski-AWS
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content