CloudConnect (IPsec and TGW) FAQ

The EMnify CloudConnect feature uses the AWS VPN service. When setting up an IPsec with us, check your vendor documentation to see if specific settings can be applied when connecting to AWS VPN service. For troubleshooting, you can find help here: VPN inactivity troubleshooting by AWS.

Why are my IPSec tunnels down even though the configuration was correct and was not changed?

No traffic

If no traffic is sent through the IPSec , the tunnels may go down. They will go up as soon as traffic coming from the customer's application server comes through. AWS documentation states: "The VPN tunnel comes up when traffic is generated from your side of the VPN connection. The AWS endpoint is not the initiator; your customer gateway device must initiate the tunnels. "

To keep the tunnel up we advise the customer side to actively try to re-establish the IPsec tunnel (e.g. by means of cron job or by setting up a ping from the application server to an EMnify endpoint). This is because the IPsec SA is eventually removed completely if it fails all the attempts to be re-established (e.g. as result to AWS network outage.

Idle timeouts

If you're experiencing idle timeouts due to low traffic on a VPN tunnel:

• Be sure that there's constant bidirectional traffic between your application server and our CloudConnect. If necessary, create a host that sends ICMP requests to an instance in your VPC every 5 seconds.
• Review your VPN device's idle timeout settings using information from your device's vendor. When there's no traffic through a VPN tunnel for the duration of your vendor-specific VPN idle time, the IPsec session terminates. Be sure to follow vendor-specific configuration guidelines.

Network failure

To re-establish a VPN tunnel in case of a network outage (that would typically exceed the DPD timeout interval) we recommend customers to provide an additional mechanism, based on a cron job or by setting up a ping from the application server to an EMnify endpoint. This is because the IPsec SA is eventually removed completely if all the attempts to be re-established fail.e. AWS does not initiate IPsec connections. It only operates in passive mode.

The traffic sent from my EMnify endpoints does not arrive on my server. Why?

• Check where your endpoints are sending the traffic to. If you are using a hostname to address your application servers make sure it resolves to a private IP reachable through CloudConnect.
• Make sure you are allow traffic coming from your endpoint IP addresses:
  • If you can, allow traffic from the following ranges100.64.0.0/10, 10.192.0.0/12, 10.4.0.0/14. You will then be sure that traffic from your endpoints will be allowed
    
  • If you have overlapping rules, you can allow only the IP ranges assigned to your account. In this case, you need to update your configuration each time a new IP range is assigned to your account.

Why do my newly configured endpoints don't send data through my CloudConnect?

• Each time a new IP address range is added to your account to create new endpoints, the range needs to be configured on our firewall. Please open a ticket to support@emnify.com to request our team to update our firewall and add the new ranges. Feel free to add several ranges at once.
• Make sure the service profile assigned to the new endpoints also uses the correct Internet Breakout Region. It has to be one of the three "(VPN)" options.
  
  

supported algorithms available

Here is the list of AWS supported algorithms which are available:

I want to update my CloudConnect, how should I proceed?

There is no way to update the configuration of your CloudConnect yet. To do so, delete the attachment and create it again from scratch.

For Transit Gateways, make sure you delete it from the EMnify User Interface. If the attachment is deleted from AWS first, we won't be notified and the configured CIDR will not be available again automatically.

Note: when the old breakout is deleted and then the new is created, no additional fee will be charged. When you delete the attachment from AWS side only, it will still be charged on the EMnify side.