AWS - How do I check the current status of my VPN tunnel?

Issue

I don’t see network traffic flowing on the AWS side of my Amazon Virtual Private Cloud (Amazon VPC) connection. How do I check the AWS VPN tunnel status?

Resolution

Verify whether you are using static or dynamic VPN routing.
VPN devices that don’t support Border Gateway Protocol (BGP) must use static routing.VPN devices that support BGP can use dynamic routing.
Check the current status using the Amazon VPC console
If you use a static VPN:

1. Sign in to the Amazon VPC console.
2. In the navigation pane, under VPN Connections, choose VPN Connections.
3. Select your VPN connection.
4. Choose the Tunnel Details view.
5. Review the Status of your VPN tunnel.
6. If the tunnel status is UP, choose the Static Routes view. Be sure to specify any private networks behind your on-premises firewall.
7. If the tunnel status is DOWN, verify that your on-premises firewall is properly configured.
8. Be sure to enable route propagation in your VPC route table.

If you use a dynamic VPN with BGP:

1. Sign in to the Amazon VPC console.
2. In the navigation pane, under VPN Connections, choose VPN Connections.
3. Select your VPN connection.
4. Choose theTunnel Details view.
5. Review the Status of your VPN tunnel.
6. If the tunnel status is UP, verify that the Details column has one or more BGP routes listed.
7. If the tunnel status is DOWN but the Details column is IPSEC IS UP, be sure to configure BGP properly on your firewall. Phase 2 of Internet Protocol Security (IPSec) is established, but BGP isn’t established.
8. Be sure to enable route propagation in your VPC route table.

If you continue to experience issues:

• Verify that the security groups of Amazon Elastic Compute Cloud (Amazon EC2) instances in your VPC allow appropriate access. For more information, see Security Groups for Your VPC.
• Verify that your local firewall allows the same service in its access control lists (ACLs) and firewall policies.

For more information, seeTroubleshooting in the Amazon VPC Network Administrator Guide.
Monitor your VPN tunnel using CloudWatch
You can also use Amazon CloudWatch to check the status of a VPN tunnel, be notified when the status of the tunnel changes, and access metric data over time to help evaluate the tunnel’s stability. For more information, see Monitoring VPN Tunnels Using Amazon CloudWatch.

Related Information

How do I troubleshoot BGP connection issues over VPN?