Contents of Site-to-Site VPN logs
The following information is included in the Site-to-Site VPN tunnel activity log.
Field | Description |
---|---|
VpnLogCreationTimestamp |
Log creation timestamp in human readable format. |
VpnConnectionId |
The VPN connection identifier. |
TunnelOutsideIPAddress |
The external IP of the VPN tunnel that generated the log entry. |
TunnelDPDEnabled |
Dead Peer Detection Protocol Enabled Status (True/False). |
TunnelCGWNATTDetectionStatus |
NAT-T detected on customer gateway device (True/False). |
TunnelIKEPhase1State |
IKE Phase 1 Protocol State (Established | Rekeying | Negotiating | Down). |
TunnelIKEPhase2State | IKE Phase 2 Protocol State (Established | Rekeying | Negotiating | Down). |
VpnLogDetail | Verbose messages for IPsec, IKE and DPD protocols. |
IKEv1 Error Messages
Message | Explanation |
---|---|
Peer is not responsive - Declaring peer dead |
Peer has not responded to DPD Messages, enforcing DPD time-out action. |
AWS tunnel payload decryption was unsuccessful due to invalid Pre-shared Key |
Same Pre-Shared key needs to be configured on both IKE Peers. |
No Proposal Match Found by AWS |
Proposed Attributes for Phase 1 (Encryption, Hashing and DH Group) are not supported by AWS VPN Endpoint. e.g 3DES |
No Proposal Match Found. Notifying with "No proposal chosen" |
No Proposal Chosen error message is exchanged between Peers to inform that correct Proposals/Policies must be configured for phase 2 on IKE Peers. |
AWS tunnel received DELETE for Phase 2 SA with SPI: xxxx |
CGW has sent the Delete_SA message for Phase 2 |
AWS tunnel received DELETE for IKE_SA from CGW |
CGW has sent the Delete_SA message for Phase 1 |
IKEv2 Error Messages
Message | Explanation |
---|---|
AWS tunnel DPD timed out after {retry_count} retransmits |
Peer has not responded to DPD Messages, enforcing DPD time-out action. |
AWS tunnel received DELETE for IKE_SA from CGW |
Peer has sent the Delete_SA message for Parent/IKE_SA |
AWS tunnel received DELETE for Phase 2 SA with SPI: xxxx |
Peer has sent the Delete_SA message for CHILD_SA |
AWS tunnel detected a (CHILD_REKEY) collision as CHILD_DELETE |
CGW has sent the Delete_SA message for the Active SA, which is being rekeyed. |
AWS tunnel (CHILD_SA) redundant SA is being deleted due to detected collision |
Due to Collision, If redundant SAs are generated, Peers will close redundant SA after matching the nonce values as per RFC |
AWS tunnel Phase 2 was unable to establish while keeping Phase 1 |
Peer was unable to establish CHILD_SA due to negotiation error e.g incorrect proposal. |
AWS: Traffic Selector: TS_UNACCEPTABLE: received from responder |
Peer has proposed Incorrect Traffic Selectors/Encryption Domain. Peers should be configured with identical and correct CIDRs. |
AWS tunnel is sending AUTHENTICATION_FAILED as the response |
Peer is unable to Authenticate the Peer by verifying IKE_AUTH message's contents |
AWS tunnel detected a pre-shared key mismatch with cgw: xxxx |
Same Pre-Shared key needs to be configured on both IKE Peers. |
AWS tunnel Timeout: deleting un-established Phase 1 IKE_SA with cgw: xxxx |
Deleting the half-opened IKE_SA as peer has not proceeded with negotiations |
No Proposal Match Found. Notifying with "No proposal chosen" |
No Proposal Chosen error message is exchanged between Peers to inform that correct Proposals must be configured on IKE Peers. |
No Proposal Match Found by AWS |
Proposed Attributes for Phase 1 (Encryption, Hashing and DH Group) are not supported by AWS VPN Endpoint. e.g 3DES |
IKEv2 Negotiation Messages
Message | Explanation |
---|---|
AWS tunnel processed request (id=xxx) for CREATE_CHILD_SA |
AWS has received the CREATE_CHILD_SA request from CGW |
AWS tunnel is sending response (id=xxx) for CREATE_CHILD_SA |
AWS is sending CREATE_CHILD_SA response to CGW |
AWS tunnel is sending request (id=xxx) for CREATE_CHILD_SA |
AWS is sending CREATE_CHILD_SA request to CGW |
AWS tunnel processed response (id=xxx) for CREATE_CHILD_SA |
AWS has received CREATE_CHILD_SA response form CGW |