Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Client VPN: Intermittent connectivity to destination - works for some users but not others with the same configuration

2

I have an AWS Client VPN endpoint with split tunnel enabled. The VPN connects to a destination VPC via Transit Gateway peering across regions.

The issue is that some users can reach the destination (e.g., an EKS cluster or EC2 instance) while others cannot, even though are all connecting to the same Client VPN endpoint with the same group permissions. The users who cannot connect experience a connection timeout, and VPC Flow Logs show no traffic arriving at the destination VPC from those users.

What I have verified:

  • TGW routing is correct (confirmed by launching a test instance in the VPN VPC that can reach the destination)
  • Security groups and NACLs allow the traffic
  • Authorization rules are configured for the correct destination CIDR and user group
  • The Client VPN route for the destination CIDR exists in the route table

The strange part is that the failure seems correlated with the client IP address assigned by the VPN. Users assigned IPs in one range (e.g., 10.x.3.x) can connect, while users assigned IPs in another range (e.g., 10.x.1.x or 10.x.2.x) cannot.

What could cause this behaviour?

Topics
Networking & Content Delivery
Tags
AWS Virtual Private Network (VPN)AWS Client VPNAmazon VPCAWS Transit Gateway
Language
English
asked 20 days ago137 views
1 Answer
2
Accepted Answer

Based on the information provided, there are two key clues that point to the cause of the issue:

  1. A test instance in the VPN VPC can reach the destination successfully. This rules out TGW routing, and the destination-side configuration. The network path from the VPC onwards is working correctly.

  2. VPC Flow Logs show no traffic from the affected users. This means the traffic is being dropped before it enters the VPC. If the issue were at the TGW or destination VPC level, you would see traffic leaving the VPN VPC but failing at a later hop. The fact that no traffic appears at all tells us the Client VPN endpoint itself is not forwarding the traffic into the VPC for those users.

The correlation with client IP ranges is the final clue. Client VPN distributes connecting users across the available subnet associations using DNS round-robin. Users assigned IPs in one range are connected to one association, while users in another range are on a different association. If connectivity works for one IP range but not another, it means the associations are behaving differently.

This is a known Client VPN behaviour documented by AWS here. The issue could be that the route for your destination CIDR is not configured on all subnet associations.

Clients connect to a Client VPN endpoint based on the DNS round-robin algorithm. This means their traffic can be routed through any of the associated subnets when they establish a connection. If a route only exists for one or two of the associated subnets but not all of them, users who land on an association without the route will experience connectivity failures. Their traffic is silently dropped at the Client VPN level.

How to diagnose

List all routes and their target subnet associations:

aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id cvpn-endpoint-1234567890123456

Look for your destination CIDR in the output. If it only appears with one or two subnet association targets but not all of them, that is the problem.

How to fix

Add the missing route to all subnet associations via the console (VPC → Client VPN Endpoints → Route Table → Add Route) or via CLI:

aws ec2 create-client-vpn-route --client-vpn-endpoint-id cvpn-endpoint-1234567890123456 --destination-cidr-block 10.x.x.x/x --target-vpc-subnet-id subnet-1234567890123456

Repeat for each subnet association that is missing the route.

References

AWS
SUPPORT ENGINEER
answered 20 days ago
EXPERT
reviewed 20 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content