VPN Tunnel Troubleshooting
What to look for when you're experiencing issues with your AWS-Orka VPN tunnel and how to perform basic troubleshooting.
Quick navigation
You are here in the workflow: AWS-Orka Connections | 1. AWS Side of the VPN Tunnel | 2. VPN Tunnel Configuration File | 3. Orka Side of the VPN Tunnel | 4. Verifying the VPN Tunnel | VPN Tunnel Troubleshooting
On this page, jump to: Errors during the Cisco ASAv configuration | The tunnel is UP but there's no traffic between AWS and Orka | There's traffic between AWS and Orka but you cannot access the Orka VM from AWS | There's traffic from AWS to Orka but you cannot access AWS from Orka | Troubleshooting
Errors during the Cisco ASAv configuration
-
Sometimes, the command line interface might return errors about the
crypto isakmp policy
block of commands.
Workaround: Ignore the errors. They do not affect the configuration. -
The command line interface returns
ERROR: unable to find interface “outside”
.
Workaround: Sometimes, the command line interface is case-sensitive and you need to preserve the capitalization of the network configuration as proivded in the IP Plan.
1. Clean up the firewall configuration.
2. Renameoutside
in your configuration file toOutside
.
3. Re-run the complete configuration in Cisco ASDM-IDM.
The tunnel is UP but there's no traffic between AWS and Orka
If Amazon shows that one tunnel is UP but there's no traffic between AWS and your Orka cluster, it might be because of some common mistakes when preparing the configuration file. Check for the following:
AWS checks
All checks in this section are performed in the AWS Management Console.
Verify that your virtual private gateway is attached to the VPC.
- Log in to your AWS Management Console and access your VPC service. In the top right corner of the screen, make sure that you're working in the correct region.
- In the VPC service sidebar, locate the Virtual Private Network menu and select Virtual Private Gateways.
- On the Virtual Private Gаteways dashboard, check the status of the virtual private gateway used in your tunnel.
- If the virtual private gateway is detached, right-click it and select Attach to VPC.
Verify that the route tables for the Amazon Virtual Private Cloud (Amazon VPC) propagate traffic for the virtual private gateway you're using.
- Log in to your AWS Management Console and access your VPC service. In the top right corner of the screen, make sure that you're working in the correct region.
- In the VPC service sidebar, locate the Virtual Private Cloud menu and select Route Tables.
- In the list of routing tables, select the main table.
- At the bottom of the screen, select Route Propagation and make sure that the propagation is enabled. If your virtual private gateway is not listed, make sure that it's attached to the VPC.
- If propagation is disabled, click Edit route propagation.
- Select the Propagate checkbox and click Save.
Cisco ASAv checks
All checks in this section are performed against the VPN configuration file.
Verify that you've replaced <local_subnet>
and <local_subnet_mask>
with the correct values for the Private-1
network from the IP Plan.
<local_subnet>
and <local_subnet_mask>
with the correct values for the Private-1
network from the IP Plan.Verify that you've configured the NAT exemption rule properly.
- The host and subnet mask required for
obj-SrcNet
are the host and mask for thePrivate-1
network from the IP Plan. - The host and subnet mask required for
obj-amzn
are the host and mask for your Amazon VPC. You can find this information by logging into your AWS Management Console, navigating to your VPC dashboard, selecting your VPC, and checking the Description at the bottom of the screen. You need to convert the subnet mask bit notation to the correct subnet mask (e.g., the/16
notation converts to a255.255.0.0
subnet mask). - The values in the brackets after
nat
must be (Private-1
,Outside
).
To resolve any of the listed common problems with the Cisco ASAv configuration, complete the following steps:
- Clean up the firewall configuration.
- Make the necessary changes to the configuration file.
- Re-run the complete configuration in Cisco ASDM-IDM.
There's traffic between AWS and Orka but you cannot access the Orka VM from AWS
Sometimes, you might be able to establish an SSH connection from an Orka VM to a VM in AWS but you might not be able to see or access the Orka VM from AWS.
This might be because SSH (Remote Login) is not enabled within the Orka VM.
Verify that SSH is enabled for the Orka VM.
There's traffic from AWS to Orka but you cannot access AWS from Orka
Sometimes, you might be able to establish an SSH connection from AWS to an Orka VM but you might not be able to see or access AWS from an Orka VM.
This might be due to AWS being configured to stop inbound traffic.
For information about how to enable inbound traffic, see Amazon VPC Documentation: Security Groups for Your VPC and Amazon VPC Documentation: Network ACLs.
Troubleshooting
Cleaning up the ASAv configuration
Sometimes, you might need to clean up the Cisco ASAv configuration and start over.
- Verify that you are connected via VPN to your Orka cluster.
- Run Cisco ASDM-IDM and log in to the firewall.
- In the Cisco ASDM-IDM application toolbar, select Tools > Command Line Interface....
- Select Single Line.
- Run the following commands one by one, clicking Send in between. Replace the placeholders with their respective values. Use Table 1: Placeholders for reference.
clear configure tunnel-group <tunnel_1>
clear configure tunnel-group <tunnel_2>
clear configure group-policy <policy_name>
clear configure crypto map <map_name>
clear configure access-list <outside_access_in>
clear configure access-list amzn-filter
clear configure access-list acl-amzn
clear configure crypto ipsec transform-set transform-amzn
clear configure sla monitor 1
no nat (Private-1,Outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
no object network obj-SrcNet
no object network obj-amzn
Table 1: Placeholders
Placeholder | Value | Description |
---|---|---|
<tunnel_1> | (Sample) 192.168.0.0 | The IP of the tunnel, configured with the first set of tunnel-group commands in the Amazon configuration file. |
<tunnel_2> | (Sample) 192.168.0.2 | The IP of the tunnel, configured with the second set of tunnel-group commands in the Amazon configuration file. |
<policy_name> | By default: filter | The name of the policy configured with the group-policy commands in the Amazon configuration file. |
<map_name> | By default: amzn_vpn_map | The name of the crypto map configured with the crypto map commands in the Amazon configuration file. |
<outside_access_in> | By default: outside_access_in | The unique name of the access control list created with the configuration file in the Amazon configuration file. |
More troubleshooting by Amazon
Amazon VPC Documentation: Troubleshooting Cisco ASA Customer Gateway Connectivity.
More troubleshooting by Cisco
Updated about 1 year ago