VPN Tunnel Troubleshooting

🚧

Quick navigation

You are here in the workflow: AWS-Orka Connections | 1. AWS Side of the VPN Tunnel | 2. VPN Tunnel Configuration File | 3. Orka Side of the VPN Tunnel | 4. Verifying the VPN Tunnel | VPN Tunnel Troubleshooting

---

On this page, jump to: Errors during the Cisco ASAv configuration | The tunnel is UP but there's no traffic between AWS and Orka | There's traffic between AWS and Orka but you cannot access the Orka VM from AWS | There's traffic from AWS to Orka but you cannot access AWS from Orka | Troubleshooting

Errors during the Cisco ASAv configuration

• Sometimes, the command line interface might return errors about the crypto isakmp policy block of commands.
  Workaround: Ignore the errors. They do not affect the configuration.

• The command line interface returns ERROR: unable to find interface “outside”.
  Workaround: Sometimes, the command line interface is case-sensitive and you need to preserve the capitalization of the network configuration as proivded in the IP Plan.
  1. Clean up the firewall configuration.
  2. Rename outside in your configuration file to Outside.
  3. Re-run the complete configuration in Cisco ASDM-IDM.

The tunnel is UP but there's no traffic between AWS and Orka

If Amazon shows that one tunnel is UP but there's no traffic between AWS and your Orka cluster, it might be because of some common mistakes when preparing the configuration file. Check for the following:

AWS checks

All checks in this section are performed in the AWS Management Console.

Verify that your virtual private gateway is attached to the VPC.

1. Log in to your AWS Management Console and access your VPC service. In the top right corner of the screen, make sure that you're working in the correct region.
2. In the VPC service sidebar, locate the Virtual Private Network menu and select Virtual Private Gateways.

3. On the Virtual Private Gаteways dashboard, check the status of the virtual private gateway used in your tunnel.
4. If the virtual private gateway is detached, right-click it and select Attach to VPC.

Verify that the route tables for the Amazon Virtual Private Cloud (Amazon VPC) propagate traffic for the virtual private gateway you're using.

1. Log in to your AWS Management Console and access your VPC service. In the top right corner of the screen, make sure that you're working in the correct region.
2. In the VPC service sidebar, locate the Virtual Private Cloud menu and select Route Tables.

3. In the list of routing tables, select the main table.
   1. At the bottom of the screen, select Route Propagation and make sure that the propagation is enabled. If your virtual private gateway is not listed, make sure that it's attached to the VPC.
   2. If propagation is disabled, click Edit route propagation.
   3. Select the Propagate checkbox and click Save.

Cisco ASAv checks

All checks in this section are performed against the VPN configuration file.

Verify that you've replaced <local_subnet> and <local_subnet_mask> with the correct values for the Private-1 network from the IP Plan.

Verify that you've configured the NAT exemption rule properly.

• The host and subnet mask required for obj-SrcNet are the host and mask for the Private-1 network from the IP Plan.
• The host and subnet mask required for obj-amzn are the host and mask for your Amazon VPC. You can find this information by logging into your AWS Management Console, navigating to your VPC dashboard, selecting your VPC, and checking the Description at the bottom of the screen. You need to convert the subnet mask bit notation to the correct subnet mask (e.g., the /16 notation converts to a 255.255.0.0 subnet mask).
• The values in the brackets after nat must be (Private-1,Outside).

To resolve any of the listed common problems with the Cisco ASAv configuration, complete the following steps:

1. Clean up the firewall configuration.
2. Make the necessary changes to the configuration file.
3. Re-run the complete configuration in Cisco ASDM-IDM.

There's traffic between AWS and Orka but you cannot access the Orka VM from AWS

Sometimes, you might be able to establish an SSH connection from an Orka VM to a VM in AWS but you might not be able to see or access the Orka VM from AWS.

This might be because SSH (Remote Login) is not enabled within the Orka VM.
Verify that SSH is enabled for the Orka VM.

There's traffic from AWS to Orka but you cannot access AWS from Orka

Sometimes, you might be able to establish an SSH connection from AWS to an Orka VM but you might not be able to see or access AWS from an Orka VM.

This might be due to AWS being configured to stop inbound traffic.
For information about how to enable inbound traffic, see Amazon VPC Documentation: Security Groups for Your VPC and Amazon VPC Documentation: Network ACLs.

Troubleshooting

Cleaning up the ASAv configuration

Sometimes, you might need to clean up the Cisco ASAv configuration and start over.

1. Verify that you are connected via VPN to your Orka cluster.
2. Run Cisco ASDM-IDM and log in to the firewall.
3. In the Cisco ASDM-IDM application toolbar, select Tools > Command Line Interface....

4. Select Single Line.
5. Run the following commands one by one, clicking Send in between. Replace the placeholders with their respective values. Use Table 1: Placeholders for reference.

clear configure tunnel-group <tunnel_1>
clear configure tunnel-group <tunnel_2>
clear configure group-policy <policy_name>
clear configure crypto map <map_name>
clear configure access-list <outside_access_in>
clear configure access-list amzn-filter
clear configure access-list acl-amzn
clear configure crypto ipsec transform-set transform-amzn
clear configure sla monitor 1
no nat (Private-1,Outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
no object network obj-SrcNet
no object network obj-amzn

Table 1: Placeholders

More troubleshooting by Amazon

Amazon VPC Documentation: Troubleshooting Cisco ASA Customer Gateway Connectivity.

More troubleshooting by Cisco

Cisco Documentation: IPsec Troubleshooting.