Search code examples
amazon-web-servicesamazon-vpc

AWS Vpn routing to multiple subnets

We have a VPN setup with two static routes

10.254.18.0/24

10.254.19.0/24

We have a problem that we can only ever communicate from AWS - to one of the above blocks at a time. At some times it is .18 and at other times it is .19 - I cannot figure out what is the trigger.

I never have any problem communicating from either of my local subnets out to aws at the same time.

Kinda stuck here. Any suggestions?

What have we tried? Well the 'firewall' guys said they dont see anything being blocked. But I read another post here that stated the same thing and the problem still ended up being the firewall.

Throughout the course of playing with this the "good" subnet has flipped 3 times. Meaning

  1. Right now I can talk to .19 but not .18
  2. 10 min ago I could talk to .18 but not .19

It just keeps flipping.

Solution

  • We've been able to get this resolved. We changed the static routes configured in AWS from:

    • 10.254.18.0/24
    • 10.254.19.0/24

    To use instead:

    • 10.254.18.0/23

    This will encompass all the addresses we need and has resolved the issue. Here was Amazon's response:

    Hello,

    Thank you for contacting AWS support. I can understand you have issues with reaching your two subnets: 10.254.18.0/24 and 10.254.19.0/24 at the same time from AWS.

    I am pretty sure I know why this is happening. On AWS, we can accept only one SA (security association) pair. On your firewall, the "firewall" guys must have configured policy based VPN. In policy/ACL based VPN, if you create following policys for eg: 1) source 10.254.18.0/24 and destination "VPC CIDR" 2) source 10.254.19.0/24 and destination "VPC CIDR" OR 1) source "10.254.18.0/24, 10.254.19.0/24" and destination "VPC CIDR"

    In both the cases, you will form 2 SA pairs as we have two different source mentioned in the policy/ACL. You just have to use source as "ANY" or "10.254.0.0/16" or "10.254.0.0/25", etc. We would prefer if you can use source as "ANY" then micro-manage the traffic using VPN-filters if you are using Cisco ASA device. How to use VPN-filters is given in the configuration file for CISCO ASA. If you are using some other device then you will have to find a solution accordingly. If your device supports route based VPN then I would advice you to configure route based VPN. Route based VPNs always create only one SA pair.

    Once you find a solution to create only one ACL/Policy on your firewall, you will be able to reach both the networks at the same time. I can see multiple SA formation on your VPN. This is the reason why you cannot reach both the subnets at the same time.

    If you have any additional questions feel free to update the case and we will respond to them.