Why are my IPSec tunnels down even though the configuration was correct and was not changed?
If no traffic is sent through the IPSec , the tunnels will go down. They will go up as soon as traffic coming from the customer's application server comes through. AWS documentation states: "The VPN tunnel comes up when traffic is generated from your side of the VPN connection. The AWS endpoint is not the initiator; your customer gateway device must initiate the tunnels. "
To keep the tunnel up and running, two solutions are available:
- customers are advised to setup a ping from their servers to their endpoints or
- to use IKEv2 and to enable DPD and configure it to overcome inactivity intervals of at least 3 minutes.
If the VPN tunnel goes down because of a network failure, the IPsec connection must be re-initiated from the customer side. AWS does not initiate IPsec connections. It only operates in passive mode.
The traffic sent from my endpoints does not arrive on my server. Why?
Check where your endpoints are sending the traffic to. If you are using a hostname to address your application servers make sure it resolves to a private IP reachable through CloudConnect.
The traffic I receive on my server does not come from my EMnify endpoint IPs. Why?
When configuring the IPSec, make sure all traffic coming from the ranges 100.64.0.0/10, 10.192.0.0/12, 10.4.0.0/14 are allowed. These are our advertising IP and traffic might come from any of them. If you cannot accept traffic from all the ranges, you can de-aggregate the advertised IP with the feature BGP conditional route injection if you have chosen a dynamic VPN configuration. In this case, you need to update your configuration each time a new /22 IP range is assigned to your account."
Why do my newly configured endpoints don't send data through my CloudConnect?
- Each time a new IP address range is added to your account to create new endpoints, the range needs to be configured on our firewall. Please open a ticket to email@example.com to request our team to update our firewall and add the new ranges. Feel free to add several ranges at once.
- Make sure the service profile assigned to the new endpoints also uses the correct Internet Breakout Region. It has to be one of the three "(VPN)" options.
I want to update my CloudConnect, how should I proceed?
There is no way to update the configuration of your CloudConnect yet. To do so, delete the attachment and create it again from scratch.
For Transit Gateways, make sure you delete it from the EMnify User Interface. If the attachment is deleted from AWS first, we won't be notified and the configured CIDR will not be available again automatically.
Note: when the old breakout is deleted and then the new is created, no additional fee will be charged. When you delete the attachment from AWS side only, it will still be charged on the EMnify side.