Site-to-Site VPN - Both Tunnels Flapping Simultaneously

You're correct that the two tunnels terminate on different AWS endpoint IPs. This is the key diagnostic clue: if both tunnels fail simultaneously despite terminating on separate AWS infrastructure, the single common point of failure is the Customer Gateway (CGW) side.

Both tunnels originate from the same CGW IP (your Cisco ASA's public interface). Anything that disrupts connectivity from that single IP to the internet will take down both tunnels at the same time, even though the AWS endpoints are independent.

Most likely causes:

1. The CGW is failing to respond to AWS DPD (Dead Peer Detection) messages on both tunnels. AWS sends DPD probes every 10 seconds. After 3 consecutive missed responses, AWS declares the peer dead and takes action based on the configured DPD timeout action. If your ASA experiences a brief CPU spike, memory pressure, or interface flap, it may miss DPD responses on both tunnels simultaneously.

2. An upstream network issue between your CGW and the internet (ISP micro-outage, NAT device session table exhaustion, or firewall rate-limiting UDP 500/4500) that is not severe enough to appear on ISP status pages but enough to drop the DPD packets.

The 25-45 minute recovery time suggests your DPD timeout action is set to "Clear" (the default) and the startup action is set to "Add" (the default, meaning AWS acts as responder only). With this combination, when a DPD timeout occurs, AWS ends the IKE session and does not attempt to re-initiate it. The tunnel stays down until the CGW initiates a new IKE session. If your ASA has a backoff timer or does not actively retry, the tunnel remains down until the ASA's retry timer fires.

Troubleshooting steps:

1. Enable VPN tunnel logging on the AWS side and check whether the tunnels went down due to DPD timeout (CGW not responding) or due to the CGW sending a DELETE notification (CGW intentionally tearing down). This distinction tells you whether the CGW went unresponsive or actively disconnected.

2. Check your ASA logs during the exact outage timestamps for CPU/memory alerts, IKE errors, or interface flaps:

   show cpu usage
   show memory
   show crypto ikev2 sa detail
   show logging | include VPN|IKE|DPD

3. Run continuous pings from a device outside your CGW (e.g., a separate host on your network) to both AWS tunnel endpoint IPs. If pings fail during the outage, the issue is upstream of the CGW (ISP/firewall/NAT), not the CGW itself.

4. Check if your firewall or NAT device has aggressive UDP session timeouts. Some devices timeout UDP 4500 (NAT-T) sessions as low as 30 seconds, which can cause both tunnels to appear unreachable from AWS's perspective.

Recommended changes:

1. Change the DPD timeout action from "Clear" to "Restart". With "Restart", AWS will actively attempt to re-establish the IKE session after a DPD timeout rather than waiting for the CGW to initiate. This should significantly reduce your recovery time.

2. Change the IKE startup action from "Add" (responder) to "Start" (initiator). This ensures AWS actively tries to bring the tunnel up rather than waiting for the CGW.

3. On the ASA side, configure aggressive IKE retry timers so the CGW attempts to re-establish immediately after a failure rather than waiting 25-45 minutes.

4. For long-term redundancy, consider adding a second VPN connection from a different CGW device (different public IP, ideally different ISP). This eliminates the single point of failure at the CGW level.

References:

• How do I troubleshoot Site-to-Site VPN tunnel inactivity, tunnel flapping, or down tunnel?
• Site-to-Site VPN logs
• Configure tunnel options for AWS Site-to-Site VPN
• AWS Site-to-Site VPN tunnel initiation options