This section provides AWS official troubleshooting procedures based on the comprehensive AWS Site-to-Site VPN documentation. Follow these systematic approaches for professional-grade VPN troubleshooting.
AWS provides two main troubleshooting flowcharts based on your routing configuration:
Troubleshooting Flow: IKE → IPsec → Tunnel → BGP
Troubleshooting Flow: IKE → IPsec → Tunnel → Static Routes
Purpose: IKE security association is required to exchange keys for IPsec SA establishment.
Verification Steps:
Diagnostic Commands:
# For strongSwan/Libreswan:
sudo ipsec status
sudo ipsec statusall
# For Cisco devices:
show crypto isakmp sa
show crypto ipsec sa
# For Juniper devices:
show security ike security-associations
show security ipsec security-associations
If IKE SA doesn’t exist: Review your IKE configuration settings and ensure all parameters match the AWS-provided configuration file.
Purpose: IPsec SA is the actual tunnel that carries encrypted traffic.
Verification Steps:
Diagnostic Commands:
# For strongSwan/Libreswan:
sudo ipsec trafficstatus
sudo ipsec whack --status
# For Cisco devices:
show crypto ipsec sa
show crypto ipsec transform-set
# For Juniper devices:
show security ipsec security-associations detail
show security ipsec statistics
AWS Required Firewall Rules:
Inbound Rules (from internet):
| Rule | Source IP | Dest IP | Protocol | Port |
|---|---|---|---|---|
| I1 | Tunnel1 Outside IP | Customer Gateway | UDP | 500 |
| I2 | Tunnel2 Outside IP | Customer Gateway | UDP | 500 |
| I3 | Tunnel1 Outside IP | Customer Gateway | IP 50 (ESP) | - |
| I4 | Tunnel2 Outside IP | Customer Gateway | IP 50 (ESP) | - |
Outbound Rules (to internet):
| Rule | Source IP | Dest IP | Protocol | Port |
|---|---|---|---|---|
| O1 | Customer Gateway | Tunnel1 Outside IP | UDP | 500 |
| O2 | Customer Gateway | Tunnel2 Outside IP | UDP | 500 |
| O3 | Customer Gateway | Tunnel1 Outside IP | IP 50 (ESP) | - |
| O4 | Customer Gateway | Tunnel2 Outside IP | IP 50 (ESP) | - |
NAT Traversal: If using NAT-T, also allow UDP traffic on port 4500.
IP Connectivity Test:
# Ping virtual private gateway address from customer gateway
ping <AWS_TUNNEL_INTERFACE_IP>
# If ping fails, review tunnel interface configuration
# Verify correct IP addresses are configured
Requirements:
BGP Diagnostic Commands:
# For FRRouting:
sudo vtysh -c "show bgp summary"
sudo vtysh -c "show ip route bgp"
sudo vtysh -c "show bgp neighbors"
# For Cisco devices:
show ip bgp summary
show ip bgp neighbors
show ip route bgp
# For Juniper devices:
show bgp summary
show route protocol bgp
show bgp neighbor
Customer Gateway Side:
AWS Side:
Both Tunnels: Ensure both tunnels have proper static routes configured.
Namespace: AWS/VPN
Key Metrics:
Monitoring Setup:
CLI Monitoring:
# List all VPN metrics
aws cloudwatch list-metrics --namespace "AWS/VPN"
# Get tunnel state metrics
aws cloudwatch get-metric-statistics \
--namespace AWS/VPN \
--metric-name TunnelState \
--dimensions Name=VpnId,Value=vpn-xxxxxxxxx \
--start-time 2024-01-01T00:00:00Z \
--end-time 2024-01-01T23:59:59Z \
--period 300 \
--statistics Average
AWS Diagnosis Process:
Common Causes & Fixes:
Pre-shared Key Mismatch:
IP Address Mismatch:
Troubleshooting Steps:
DPD (Dead Peer Detection) Issues:
MTU Issues:
Network Instability:
BGP Session Not Establishing:
Route Advertisement Problems:
# From customer network to AWS VPC
ping <AWS_PRIVATE_IP>
traceroute <AWS_PRIVATE_IP>
# From AWS VPC to customer network
ping <CUSTOMER_PRIVATE_IP>
traceroute <CUSTOMER_PRIVATE_IP>
# Tunnel interface connectivity
ping <AWS_TUNNEL_INTERFACE_IP>
ping <CUSTOMER_TUNNEL_INTERFACE_IP>
# Bandwidth testing
iperf3 -c <REMOTE_IP> -t 60
# Latency testing
ping -c 100 <REMOTE_IP>
# MTU discovery
ping -M do -s 1472 <REMOTE_IP>
Capture Points:
Analysis Commands:
# Wireshark filters for VPN traffic
udp.port == 500 or udp.port == 4500 or ip.proto == 50
# tcpdump for VPN traffic
sudo tcpdump -i any -n 'udp port 500 or udp port 4500 or proto 50'
# strongSwan/Libreswan debugging
sudo ipsec whack --debug-all
CloudWatch Alarms:
Logging Configuration:
Health Checks:
Maintain Records Of:
AWS provides official troubleshooting guides for:
This AWS official troubleshooting guide provides:
✅ Systematic troubleshooting approach following AWS best practices
✅ Step-by-step verification process from IKE to routing layers
✅ Comprehensive error scenarios with official solutions
✅ CloudWatch monitoring integration for proactive management
✅ Device-specific guidance for major network equipment vendors
✅ Advanced troubleshooting techniques for complex scenarios
Follow these AWS-recommended procedures for professional-grade VPN troubleshooting and ensure reliable Site-to-Site connectivity between your on-premises network and AWS VPC.
💡 Pro Tip: Always follow the systematic approach (IKE → IPsec → Tunnel → Routing) and use AWS CloudWatch monitoring for proactive VPN management.