Menu
Amazon Virtual Private Cloud
Network Administrator Guide

Troubleshooting Generic Device Customer Gateway without Border Gateway Protocol Connectivity

The following diagram and table provide general instructions for troubleshooting a customer gateway device that does not use Border Gateway Protocol.

Tip

When troubleshooting problems, you might find it useful to enable the debug features of your gateway device. Consult your gateway device vendor for details.


					Flow chart for troubleshooting generic customer
						gateway

Determine if an IKE Security Association exists.

An IKE security association is required to exchange keys that are used to establish the IPsec Security Association.

If no IKE security association exists, review your IKE configuration settings. You must configure the encryption, authentication, perfect-forward-secrecy, and mode parameters as listed in the customer gateway configuration.

If an IKE security association exists, move on to IPsec.

Determine if an IPsec Security Association exists.

An IPsec security association is the tunnel itself. Query your customer gateway to determine if an IPsec Security Association is active. Proper configuration of the IPsec SA is critical. You must configure the encryption, authentication, perfect-forward-secrecy, and mode parameters as listed in the customer gateway configuration.

If no IPsec Security Association exists, review your IPsec configuration.

If an IPsec Security Association exists, move on to the tunnel.

Confirm the required firewall rules are set up (for a list of the rules, see Configuring a Firewall Between the Internet and Your Customer Gateway). If they are, move forward.

Determine if there is IP connectivity via the tunnel.

Each side of the tunnel has an IP address as specified in the customer gateway configuration. The virtual private gateway address is the address used as the BGP neighbor address. From your customer gateway, ping this address to determine if IP traffic is being properly encrypted and decrypted.

If the ping isn't successful, review your tunnel interface configuration to ensure the proper IP address is configured.

If the ping is successful, move on to Routing.

Static routes

Routing:

For each tunnel, do the following:

  • Verify that you have added a static route to your VPC CIDR with the tunnels as the next hop.

  • Verify that you have added a static route on the AWS console, to tell the VGW to route traffic back to your internal networks.

If the tunnels are not in this state, review your device configuration.

Ensure both tunnels are in this state, and you're done.

 

Make sure your virtual private gateway is attached to your VPC. Your integration team does this with the AWS Management Console.

If you have questions or need further assistance, please use the Amazon VPC forum.