VPC Site-2-Site VPN issue

Hello,

We have setup a Site-2-Site VPN from a VPC of ours to a Fortigate firewall. However there appears to be a routing issue. When we ping their firewall, they receive the ICMP and reply back. But I do not receive the reply. It's the same for other types of traffic types.

My question is how I would capture and see if the ICMP reaches us? Should I do it on the network interface of the EC2 the traffic is destined for? Or on a higher level? We allow ICMP from 0.0.0.0 on the EC2 SG.

Thanks

Adding some images here Enter image description here
Enter image description here

Enter image description here

Max Clements EXPERT
2 months ago
Are you trying to ping over the tunnel, or to the CGW of the Fortigate?
GuestConn
2 months ago
@Max Clements: when we do pings from our EC2 (172.31.38.164) we target a host that's behind the remote fortigate. For an example the ip-address 10.156.102.10.

Topics

Networking & Content Delivery

Tags

Amazon VPC AWS Virtual Private Network (VPN)

Language

English

GuestConn

asked 2 months ago144 views

2 Answers

Newest
Most votes
Most comments

Accepted Answer

I actually solved this by adding the entire network 172.31.0.0/16 in the VPN tunnel instead of just the single EC2.

GuestConn

answered 2 months ago

EXPERT

Oleksii Bebych

reviewed 2 months ago

You cant add 172.31.0.0/16 to the VPN Static Routes on the AWS side as this is your VPC CIDR Range. You only add routes here for networks to route VIA the VPN such as the 10.156.102.0/24 and then propagate to the VGW.

I suggest you remove 172.31.0.0/16 or your going to have issues as its overlapping your local VPC and its only working because local has a higher priority then the VGW

EXPERT

Gary Mclean

answered 2 months ago

GuestConn
2 months ago
I did not have to remove it, it seems that AWS was smart enough to figure this out and ignore propagating that static route. But sure, it should be removed still.
Gary Mclean EXPERT
2 months ago
It’s because a /32 is more specific than a /16. Defo remove it or you will be in for a world of pain. Cheers.

Relevant content

Route all traffic To & from EC2 Instances(in private subnet) to on-premise Fortigate Firewall via site-to-site VPN
Accepted Answer
rePost-User-8294601
asked a year ago
Issue with Setting up VPN Connection between UTM Sophos Firewall V9 and AWS VPC
Accepted Answer
nmos
asked a year ago
Site2Site VPN with Fortigate no return traffic from EC2
Accepted Answer
mb
asked 9 months ago
AWS VPN Gateway -VPC traffic routed through on prem firewall
Accepted Answer
abhijeet
asked 25 days ago
How can I resolve asymmetric routing issues when I create a VPN as a backup to a Direct Connect connection in a transit gateway?
AWS OFFICIALUpdated 9 months ago
Why can't I connect to my VPC when using an AWS Site-to-Site VPN connection that terminates on a virtual private gateway?
AWS OFFICIALUpdated a year ago
How can I build a dynamic routing based VPN using a Palo-Alto firewall and AWS VPN?
AWS OFFICIALUpdated a year ago
Why can't I connect to my VPC when using an AWS Site-to-Site VPN that terminates on a transit gateway?
AWS OFFICIALUpdated a year ago
Setup: IPSec VPN between Virtual PfSense Router and AWS managed VPN endpoint with static routing
EXPERT
Vinay Gugueoth
published 9 months ago
AWS Site-to-Site VPN Configuration Guide for Palo Alto Firewalls
EXPERT
tyler_applebaum
published 12 days ago