1. 程式人生 > >VPN Tunnel Troubleshooting

VPN Tunnel Troubleshooting

Problems establishing a VPN connection

Problems maintaining a VPN connection

If you successfully establish both VPN tunnels but still experience connectivity issues, then:

  1. Check for network ACLs in your VPC that prevent the attached VPN from establishing a connection.
  2. Check for operating system-level (OS-level) firewalls that block traffic to EC2 instances inside your VPC.
    For EC2 Windows instances, run WF.msc in Command Prompt.
    For EC2 Linux instances, run iptables in a terminal session with the appropriate arguments. For more detailed information, run man iptables
    .

Note: AWS accepts only a single pair of security associations for a VPN connection (one inbound and one outbound association). If your customer gateway device uses a policy-based VPN, configure your internal network as the source address (0.0.0.0/0) and the VPC subnet as the destination address. This configuration allows traffic to the VPC to traverse the VPN without creating additional security associations.

A VPN tunnel comes up when traffic is generated from the customer gateway side of the VPN connection. The virtual private gateway side is not the initiator. If your VPN connection experiences a period of idle time (usually 10 seconds, depending on your customer gateway configuration), the tunnel might go down. To prevent this problem, use a network monitoring tool to generate keepalive pings. For example, for Cisco ASA devices, enable SLA monitoring.

If you rule out your VPC configuration and EC2 instance connectivity as possible root causes, then:

  1. Open a terminal session (Linux) or Command Prompt (Windows).
  2. Run the traceroute (Linux) or tracert (Windows) utility from your internal network to an EC2 instance in the VPC that your VPN is attached to.
  3. If the output stops at an IP address associated with your internal network, verify that the routing path to your VPN edge device is correct.
  4. If the output reaches your customer gateway device but not your EC2 instance, check your VPN customer gateway device settings. Verify that your VPN configuration, policies and network address translation (NAT) settings are correct. Also verify that any upstream devices allow traffic flow.

If the Border Gateway Protocol (BGP) used within your VPN tunnel is down, then:

  1. Verify that you defined the BGP Autonomous System Number (ASN) when you created your customer gateway. The customer gateway ASN is included in your downloadable VPN configuration.
  2. If needed, update your customer gateway with the correct ASN. The ASN must match the ASN you provided during VPN configuration. The ASN is either an existing ASN assigned to your network or a private ASN in the 64512–65534 range.
  3. Verify that any local firewall configurations on your customer gateway allow BGP traffic to pass through to AWS. For more information, see the device-specific troubleshooting guides.

If possible, use AWS Trusted Advisor's VPN tunnel redundancy check in your monitoring activities:

  1. On the navigation pane under Dashboard, choose Fault Tolerance.
  2. In the content pane, select VPN Tunnel Redundancy from the list of Fault Tolerance Checks.
  3. Choose the download icon to download the results of this check.

Further troubleshooting

Before performing further troubleshooting steps, be sure to collect the following information:

  • A contact with administrative access to your on-premises networking equipment and VPC resources.
  • The make and model of the physical device you're using to establish the VPN connection, including the firmware version.
  • Identifiers for your VPC (vpc-XXXXXXXX), virtual private gateway (vgw-XXXXXXXX), and VPN (vpn-XXXXXXXX).
  • Access to your VPN device's current configuration and the configuration created by the AWS console when the VPN tunnels were created.
  • Details about the VPN's connectivity history
  • The IP address of an EC2 instance or other resource inside the VPC for testing purposes.
  • The source IP address of the local area network (LAN) that you're trying to initiate your VPN connection from.

相關推薦

VPN Tunnel Troubleshooting

Problems establishing a VPN connection Problems maintaining a VPN connection If you successfully establish

VPN Tunnel Phase 2 (IPsec) Fails

Amazon Web Services is Hiring. Amazon Web Services (AWS) is a dynamic, growing business unit within Amazon.com. We are currently hiring So

Troubleshoot VPN Tunnel Phase 1 (IKE) Failures

Amazon Web Services is Hiring. Amazon Web Services (AWS) is a dynamic, growing business unit within Amazon.com. We are currently hiring So

Check the Status of a VPN Tunnel

Amazon Web Services is Hiring. Amazon Web Services (AWS) is a dynamic, growing business unit within Amazon.com. We are currently hiring So

Troubleshoot VPN Tunnel Inactivity or Instability Issues

For VPN tunnels failing due to DPD, verify that the customer gateway device responds to DPD messages (that is, UDP 500 and UDP 4500 packets) fr

Fix Issues with Duplicate Tunnel Interface IP Addresses between VPN Connections

Amazon Web Services is Hiring. Amazon Web Services (AWS) is a dynamic, growing business unit within Amazon.com. We are currently hiring So

The Accidental DBA:Troubleshooting Performance

顯示 tin 管理員 ant cau adding cli multi ssms 最近重新翻看The Accidental DBA,將Troubleshooting Performance部分稍作整理,方便以後查閱。一、Baselines 網友提供的性能基線的含義:每天使

windows10 配置 華為vpn客戶端

安裝客戶端 啟用 客戶 五步 安裝 資源管理器 網卡 cli windows 2017-05-08 1. 安裝客戶端軟件VPNClient_V100R001C02SPC703.exe 2. 新建vpn 安裝完成後,打開客戶端連接vpn,發現未啟用虛擬網卡(

MPLS-VPN是什麽鬼?

組成 客戶案例 internet 聯通 用戶需求 建設 轉發 nbsp 第一線集團 mpls vpn MPLS-VPN是指采用MPLS(多協議標記轉換)技術在骨幹的寬帶IP網絡上構建企業IP專網,實現跨地域、安全、高速、可靠的數據、語音、圖像多業務通信,並結合差別服務、流

Linux下L2TP VPN客戶端的配置

linux下xl2tpd客戶端配置系統環境centos6.81,安裝xl2tpd和pppyum -y install xl2tpd ppp2,配置xl2tpd編輯配置文件xl2tpd.confvim /etc/xl2tpd/xl2tpd.conf[lac testvpn] ;testvpn為lac的名稱n

MPLS VPN

mpls vpnIPSec VPN都屬於傳統VPN傳統VPN的缺陷:範圍都是點對點1、需要手工靜態指定建立,隨著用戶網絡規模增長,可擴展性不強2、VPN維護和管理工作屬於用戶自行完成MPLS VPN的優點:1、實現隧道的動態建立(通過MPLS中的LDP實現)2、解決IP地址沖突問題3、VPN私網路由易於控制V

關於VPN的問題: LCP: timeout sending Config-Requests

服務 ret 打開 fig attr attribute con accept ber 解決方案:多半是有一方的GRE協議未開啟,檢查服務器防火墻設置。 iptables -A INPUT -p gre -j ACCEPT iptables -A OUTPUT -p gre

在客戶公司同時連公司vpn和客戶公司內網

.com cnblogs blog 切換 網路 spa src 52.0 log 在客戶公司上班一直被一個問題困擾——連公司vpn後,就不能連客戶公司內網,所以要一直切換vpn的鏈接,麻煩。 最近找到一個辦法,很贊!!! 在cmd中輸入route print

如何在ASA防火墻上實現ipsec vpn

asa 防火墻 實現 psec vpn 博主QQ:819594300博客地址:http://zpf666.blog.51cto.com/有什麽疑問的朋友可以聯系博主,博主會幫你們解答,謝謝支持!本文章介紹三個部分內容:①ipsec vpn故障排查②如何在ASA防火墻上配置ipsec VPN③防

Linux VPN 服務

命令 服務 技術分享 追加 自己 內核 文件中 replace ntp 實驗場景 通過將Linux配置VPN服務器允許遠程計算機能夠訪問內網。 我的目的: 現在需要開發第三方接口,而第三方接口有服務器IP地址鑒權配置,這樣在本地開發出來的程序每次都要發布到服務器上測試,如

pptp vpn 打不開網頁

vpn在CentOS6.5上安裝部署了一個pptp vpn,配置完成後發現只能訪問hao123、baidu等為數不多的網站。幾經測試之後最終解決問題。但是實際MSS設定值要比測試出來還要小才行。測試命令:ping -f -l xxxx www.qq.com XXXX為MTU大小,可以從1500開始,逐漸

Juniper SRX IPsec VPN base route CLI

ipsec firewall 建立Tunnelset security zones security-zone untrust interfaces st0.1IPSec 兩個階段Phase1:set security ike proposal to_head authentication-metho

Juniper SSG系列防火墻ScreenOS的IPsec VPN

ipsec vpn juniper screenos ssg 自己之前的手記,Route-Based Site-to-Site VPN, AutoKey IKE2端都是固定IP的BO1是分公司1,HO是總公司BO1# 定義隧道 set interface "tunnel.1" zone "

免費VPN 上 YouTube

tube sso tracking term easy 免費 沒有 tex dmz 今天無意間發現一個免費的VPN,能夠免費使用1GB流量,特此分享。上YouTube 非常 easy ,並且網速還是挺快的。網址: https://www.vcupmars.com/註意:剛

路由技術之 VPN家族 GRE隧道

vpn gre路由技術之 VPN家族 GRE隧道1.GRE介紹VPN 技術中的一種,稱為通用路由交換協議能夠實現互聯網中,兩個內網網段互通2.實驗目的實現類似上海公司 和 北京公司的內網互通3.實驗拓撲4.實驗配置信息ip 信息統計R1 上海路由器gig0/1 公網接口10.1.1.1 gig0/0 內網接口