- Newest
- Most votes
- Most comments
If the VPC cidrs are the same and you’re using this on your routing configuration it will not work.
Can you confirm there is no IP overlap.
How do you know it reaches AWS but not onprem?
Also even though it may say up in the AWS gui the CloudWatch logs can report down for ike phase 2.
Since the setup B was working fine before, there are few things you can validate to identify the issue.
- Can you please validate if any configuration changes were made on either side?
- On AWS side, you can leverage CloudTrail.
-
Initiate traffic from both sides
-
Capture traffic on the PC or edge router on the customer end
-
Also, since traffic is not reaching as expected, you can bounce the tunnel(both phases) to check if that helps.
Thanks for your response!
Used pfsense(on-prem) & Wireshark in an AWS instance for packet capture.
No traffic is reaching pfsense from AWS but packets from on-prem is reaching AWS.
I am thinking of recreating the Setup B from scratch and use CloudTrail & CloudWatch if the issue still exists.
will update if there's any progress.
Relevant content
- Accepted Answerasked 10 months ago
- asked 2 years ago
- asked 5 years ago
- asked 3 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Thanks for your response!
There is no IP overlap(on-prem uses 192.x.x.x & AWS uses 172.x.x.x CIDR).
I've found out by packet capturing on both sides using Wireshark.
The tunnels are up and packets are reaching AWS so i don't think it will have issues with phase 2 ike but Will try getting logs from CloudWatch.
Both A and B you can see packets at both sides? Do you have 1 or 2 tunnels per S2S connection? Your not using the default AWS VPC's?
Hi Gary, Thank for the follow-up.
I tried redoing the setup from scratch again and its working now.
I genuinely don't know what's the issue as i followed the same steps as before.