We recently helped one of our clients fix a frustrating issue with their site-to-site VPN connection. They had it set up with one of their partners, and while traffic to the IP address 192.168.100.21 always worked perfectly,
Digging into the Logs
We started by checking out the VPN logs and noticed the client was using multiple Security Associations (SAs) on their end:
- Traffic Selector 10.0.0.0/24 === 192.168.100.20/32 >> Security Association 1
- Traffic Selector 10.0.0.0/24 === 192.168.100.21/32 >> Security Association 2
Root Cause
It turns out that AWS VPN, whether you’re using a Virtual Private Gateway (VGW) or a Transit Gateway (TGW), only likes to use one pair of Security Associations at a time when talking through the VPN tunnel. If you have a policy-based VPN on your end and you set up multiple SAs, things can get messy.
Solution
To resolve this issue, the on-premises device configuration needed to be adjusted to summarize the encryption domains into a single CIDR block. Specifically, the IP addresses 192.168.100.20/32 and 192.168.100.21/32 were summarized into a single subnet, 192.168.100.20/31.
| CIDR Range | 192.168.100.20/31 |
|---|---|
| Netmask | 255.255.255.254 |
| Wildcard Bits | 0.0.0.1 |
| First IP | 192.168.100.20 |
| Last IP | 192.168.100.21 |
| Total Host | 2 |
This change ensured that only one SA was created for the traffic, as shown below:
- Traffic Selector 10.0.0.0/24 === 192.168.100.20/31
By summarizing the IP addresses into a single subnet, we ensured that the VPN tunnel would use a single SA for both IP addresses, thus resolving the connectivity issues.
If you are experiencing similar issues with your site-to-site VPN configuration, consider reviewing your SA configurations and summarizing your encryption domains to avoid multiple SAs. This simple yet effective change can significantly improve your VPN connectivity and reliability.
Technical Steps for Configuration Change
- Identify the IP addresses experiencing intermittent connectivity:
- 192.168.100.20/32
- 192.168.100.21/32
- Summarize the IP addresses into a single CIDR block:
- Summarize 192.168.100.20/32 and 192.168.100.21/32 into 192.168.100.20/31.
- Update the on-premises device configuration to use the summarized CIDR block:
- New Traffic Selector: 10.0.0.0/24 === 192.168.100.20/31
- Validate the configuration:
- Ensure that the new configuration is correctly applied and test the connectivity to both IP addresses to confirm the issue is resolved.
Remember: Refining your IP address configuration and combining similar addresses can greatly improve the reliability and performance of your VPN connections, leading to a more stable network.
About
With more than 20 years of experience in the technology sector, Mario has dedicated the last decade to offering consultancy, support, and strategic guidance to clients across various cloud platforms.
Disclaimer: The information shared on this blog is for informational purposes only and should not be considered as professional advice. The opinions presented here are personal and independent of any affiliations with tech companies or organizations.