VPN Tunnel Troubleshooting

What to look for when you're experiencing issues with your AWS-Orka VPN tunnel and how to perform basic troubleshooting.

🚧

Quick navigation

You are here in the workflow: AWS-Orka Connections | 1. AWS Side of the VPN Tunnel | 2. VPN Tunnel Configuration File | 3. Orka Side of the VPN Tunnel | 4. Verifying the VPN Tunnel | VPN Tunnel Troubleshooting


On this page, jump to: Errors during the Cisco ASAv configuration | The tunnel is UP but there's no traffic between AWS and Orka | There's traffic between AWS and Orka but you cannot access the Orka VM from AWS | There's traffic from AWS to Orka but you cannot access AWS from Orka | Troubleshooting

Errors during the Cisco ASAv configuration

The tunnel is UP but there's no traffic between AWS and Orka

If Amazon shows that one tunnel is UP but there's no traffic between AWS and your Orka cluster, it might be because of some common mistakes when preparing the configuration file. Check for the following:

AWS checks

All checks in this section are performed in the AWS Management Console.

Verify that your virtual private gateway is attached to the VPC.

  1. Log in to your AWS Management Console and access your VPC service. In the top right corner of the screen, make sure that you're working in the correct region.
  2. In the VPC service sidebar, locate the Virtual Private Network menu and select Virtual Private Gateways.
2614
  1. On the Virtual Private Gаteways dashboard, check the status of the virtual private gateway used in your tunnel.
  2. If the virtual private gateway is detached, right-click it and select Attach to VPC.
2180

Verify that the route tables for the Amazon Virtual Private Cloud (Amazon VPC) propagate traffic for the virtual private gateway you're using.

  1. Log in to your AWS Management Console and access your VPC service. In the top right corner of the screen, make sure that you're working in the correct region.
  2. In the VPC service sidebar, locate the Virtual Private Cloud menu and select Route Tables.
2640
  1. In the list of routing tables, select the main table.
    1. At the bottom of the screen, select Route Propagation and make sure that the propagation is enabled. If your virtual private gateway is not listed, make sure that it's attached to the VPC.
    2. If propagation is disabled, click Edit route propagation.
    3. Select the Propagate checkbox and click Save.
2188

Cisco ASAv checks

All checks in this section are performed against the VPN configuration file.

Verify that you've replaced <local_subnet> and <local_subnet_mask> with the correct values for the Private-1 network from the IP Plan.

Verify that you've configured the NAT exemption rule properly.

  • The host and subnet mask required for obj-SrcNet are the host and mask for the Private-1 network from the IP Plan.
  • The host and subnet mask required for obj-amzn are the host and mask for your Amazon VPC. You can find this information by logging into your AWS Management Console, navigating to your VPC dashboard, selecting your VPC, and checking the Description at the bottom of the screen. You need to convert the subnet mask bit notation to the correct subnet mask (e.g., the /16 notation converts to a 255.255.0.0 subnet mask).
  • The values in the brackets after nat must be (Private-1,Outside).

To resolve any of the listed common problems with the Cisco ASAv configuration, complete the following steps:

  1. Clean up the firewall configuration.
  2. Make the necessary changes to the configuration file.
  3. Re-run the complete configuration in Cisco ASDM-IDM.

There's traffic between AWS and Orka but you cannot access the Orka VM from AWS

Sometimes, you might be able to establish an SSH connection from an Orka VM to a VM in AWS but you might not be able to see or access the Orka VM from AWS.

This might be because SSH (Remote Login) is not enabled within the Orka VM.
Verify that SSH is enabled for the Orka VM.

There's traffic from AWS to Orka but you cannot access AWS from Orka

Sometimes, you might be able to establish an SSH connection from AWS to an Orka VM but you might not be able to see or access AWS from an Orka VM.

This might be due to AWS being configured to stop inbound traffic.
For information about how to enable inbound traffic, see Amazon VPC Documentation: Security Groups for Your VPC and Amazon VPC Documentation: Network ACLs.

Troubleshooting

Cleaning up the ASAv configuration

Sometimes, you might need to clean up the Cisco ASAv configuration and start over.

  1. Verify that you are connected via VPN to your Orka cluster.
  2. Run Cisco ASDM-IDM and log in to the firewall.
  3. In the Cisco ASDM-IDM application toolbar, select Tools > Command Line Interface....
1180
  1. Select Single Line.
  2. Run the following commands one by one, clicking Send in between. Replace the placeholders with their respective values. Use Table 1: Placeholders for reference.
clear configure tunnel-group <tunnel_1>
clear configure tunnel-group <tunnel_2>
clear configure group-policy <policy_name>
clear configure crypto map <map_name>
clear configure access-list <outside_access_in>
clear configure access-list amzn-filter
clear configure access-list acl-amzn
clear configure crypto ipsec transform-set transform-amzn
clear configure sla monitor 1
no nat (Private-1,Outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
no object network obj-SrcNet
no object network obj-amzn

Table 1: Placeholders

PlaceholderValueDescription
<tunnel_1>(Sample) 192.168.0.0The IP of the tunnel, configured with the first set of tunnel-group commands in the Amazon configuration file.
<tunnel_2>(Sample) 192.168.0.2The IP of the tunnel, configured with the second set of tunnel-group commands in the Amazon configuration file.
<policy_name>By default: filterThe name of the policy configured with the group-policy commands in the Amazon configuration file.
<map_name>By default: amzn_vpn_mapThe name of the crypto map configured with the crypto map commands in the Amazon configuration file.
<outside_access_in>By default: outside_access_inThe unique name of the access control list created with the configuration file in the Amazon configuration file.

More troubleshooting by Amazon

Amazon VPC Documentation: Troubleshooting Cisco ASA Customer Gateway Connectivity.

More troubleshooting by Cisco

Cisco Documentation: IPsec Troubleshooting.


© 2019-2023 Copyright MacStadium, Inc. – Documentation built with readme.com. Orka is a registered trademark of MacStadium, Inc.