- Newest
- Most votes
- Most comments
The issue you're experiencing with your AWS Site-to-Site VPN appears to be related to the CHILD_SA (Security Association) being repeatedly deleted and re-established. This can cause instability in the VPN connection and disrupt data transmission, even when the tunnel status shows as "UP" and both IKE Phase 1 and Phase 2 SAs are established.
There are a few potential causes for this issue:
-
Asymmetric routing: If your customer gateway device (Fortigate in this case) doesn't support asymmetric routing, it can lead to instability in the VPN connection. Verify that your Fortigate device is configured to support asymmetric routing.
-
Mismatched traffic selectors or encryption domains: Ensure that the traffic selectors (also known as encryption domains or interesting traffic) are correctly configured and match on both the AWS side and your on-premises Fortigate device. Mismatched configurations can cause the CHILD_SA to be repeatedly deleted and re-established.
-
Security Association (SA) limits: AWS limits the number of security associations to a single pair for inbound and outbound SAs. If your VPN connection requires multiple networks, you may need to summarize the local and remote CIDR on the VPN connections to use one SA.
-
Incorrect proposal settings: The CHILD_SA may fail to establish due to negotiation errors, such as incorrect proposal settings. Verify that the Phase 2 (IPsec) settings on your Fortigate device match the AWS VPN requirements.
-
Routing issues: Ensure that your route tables in both AWS and on-premises are correctly configured to route traffic through the VPN connection.
To troubleshoot and resolve this issue:
-
Review your Fortigate configuration to ensure it supports asymmetric routing and that the traffic selectors match the AWS VPN configuration.
-
Check that the Phase 2 (IPsec) settings on your Fortigate device are compatible with AWS VPN requirements.
-
Verify that your route tables in both AWS and on-premises are correctly configured.
-
If you have multiple networks that need to communicate over the VPN, consider summarizing the CIDRs to reduce the number of required SAs.
-
Monitor the VPN logs closely after making any changes to identify if the CHILD_SA deletion issue persists.
If the issue continues after verifying these settings, you may need to engage AWS support for further assistance in diagnosing the problem.
Sources
Troubleshoot VPN routing issues | AWS re:Post
AWS Site-to-Site VPN logs - AWS Site-to-Site VPN
To troubleshoot IPsec VPN connections, it is most helpful to study the logs from both peers, and to start from the point where the original SA pair has been created. If it is possible to have packet capture from the wire, it can also help. The log excerpt above is so short that from it is only possible to see that the peer has decided that the Child SA (IPsec SA) needs to be deleted, and it sends DELETE notification to the other peer. The reason for the deletion is not visible from the excerpt. It could be due to e.g. expiration of lifetime, or change of configuration, or many other reasons.
When you look at the log messages from the setting up of the initial SAs, you may notice if there has been something that was not quite what you expected in your configuration. E.g. the traffic selectors may not be fully symmetrical at both peers, and especially in such situations things may work differently depending on which peer initiates the connection and which one is the responder. You may get a fully working SA when one end is initiating but if the rekey is done in the other direction, it does not quite work the same.
Relevant content
- asked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 3 years ago