Troubleshooting AWS S2S VPN connection with on-prem network

BlackDog

3/14/24, 10:01 PM

I am trying to set up a VPN connection between our AWS servers and a 3rd party network. The VPN tunnel in itself is active, but network calls are timing out.

The setup:

EC2 instances in private subnets have their traffic go through a NAT gateway with an Elastic IP (setup already works to reach the internet)
Default VPC route table targets a transit gateway for the destination IP address e.g. 1.2.3.4
TGW uses static routing and has a route table has a route that forwards all traffic to the attached VPN connection
EC2 security groups allow incoming & outgoing traffic, there are no specific NACLs
3rd party network’s firewall has whitelisted internal IP of the NAT gateway’s EIP

ping and curl timeout, while trace route only shows stars. In the TGW flow logs, I see successful packet transmissions between the NAT gateway and the destination IP 1.2.3.4 across the VPN TGW attachment, yet nothing aside DPD logs in the VPN tunnel logs

At this point, I suspect that something prevents packets from reaching the VPN tunnel, as I suppose that I would see some VPN tunnel logs even if the 3rd party network’s firewall did not whitelist the relevant IPs (correct me if I am wrong). How can I further troubleshoot ?

234

1 + 1

vpn

site-to-site-vpn

amazon-web-services

Tim

3/15/24, 7:56 AM

This kind of thing is really tricky to track down based on a description, as networking can be complex. There's all kinds of things to check, and the person doing the checking really just follows their nose based on experience and what they find. Your best bet is to get an experienced professional to log into your AWS account and diagnose the problem with / for you. AWS Support may also be able / willing to help, if you have business support or higher.

Score:0

Server

BlackDog

3/16/24, 2:52 PM

The issue was caused by the on-premise network's VPN not using the AWS VPN tunnel's inside IPv4 CIDR range in its interface, once the connection was set up with the tunnel's outside IP address and inside IPv4 CIDR range it worked like a charm

For anyone who runs through a similar issue where packets are dropped while the VPN tunnel is up, you can also use AWS' reachability analyzer to verify whether traffic from an instance reaches the VPN TGW attachment

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Troubleshooting AWS S2S VPN connection with on-prem network

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.