Recently configured Amazon AWS VPN connection with Cisco ASA 5500 series. The documentation provided by Amazon is correct. The downloaded configuration for ASA is also good. However the troubleshooting information from Amazon is useless by just stating the general rules which experienced Network Admins are fully aware.
Below are the catches that got me stumped for some time.
- There are no logs on both sides of VPN, making the whole work difficult to troubleshoot when not working.
- The local subnets on both AWS VPC and office network must be fully operational including routing and firewall before the VPN connection comes up.
- The VPN must see a round-trip packet initiated from office internal subnet outside ASA or from the internal network interface on ASA, and SUCCESSFULLY returned from VPC subnet to truly bring up the VPN connection.
- Pinging from ASA without specifying originating port toward VPC has no effect. Ping from VPC toward office network has no effect either. Amazon provided ASA configuration file contains a sla monitor for ASA to ping VPC every 5 seconds to maintain the connection works. But when troubleshooting, better use a OS in office internal network to ping an live OS instance IP on AWS VPC. AWS' local gateway x.x.0.1 and DNS IP x.x.0.2 do not respond to pings from remote subnets so do not ping them to bring up VPN
- Disable Public Network Firewall in Windows on AWS VPC to respond to pings.
- Check connection status on ASA using command show crypto isakmp sa and show crypto ipsec sa. They shows no sa when VPN is not up even when all configuration are correct. It just needs a ping. The Connection Status on AWS VPN Connection has a big time lag of several minutes to show correct status.
- Use show access-list to see the hit count of both VPN mapped access-list and VPN filter access-list to help determining where the packets have reached
- Don’t forget adding route outside rules and no-nat-in rules.
- VPN traffic access control should be done using group policy filter access list, not through mapped VPN Access List.
- The syntax of group policy filter access list is different from regular access list. For example, to allow local subnet to SSH to remote subnet, the command is access-list acl_amzn-vpn-filter extended permit tcp [remote_subnet] [remote_mask] eq ssh [local_subnet] [local_mask]. The access list rule syntax for inbound traffic is the same as regular command, like this access-list acl_amzn-vpn-filter extended permit tcp [remote_subnet] [remote_mask] [local_subnet] [local_mask] eq ssh. Some documentation say the outbound is implicitly added when inbound is permitted. It is not the case for me.
