Hi All,
One of our customer has two VPN tunnels to AWS based on VTI's. These VPN tunnels are configured successfully and working fine.
Based on BGP only one VPN tunnel is 'active' while the other one is just in case of a problem with the first VPN tunnel. This mechanism is also tested and is working fine. But.....
Sometimes ths customer is seeing the following in SmartLog:
"Connection client side is moved to new vpn interface vpnt2" and at the same time-stamp "Connection client side is moved to new vpn interface vpnt1".
I found sk120152 which tells the issue if probably related to routing. But we do not see any changes in BGP and the last BGP update was a few days ago.
A deeper look at SmartLog shows outbound traffic is leaving vpnt1 and inbound traffic is entering vpnt2. This is not correct and probably the reason for the mentioned log entries.
Customer contacted AWS support and they confirm what we are seeing. Traffic entering one VPN tunnel and leaving the other one (from AWS point of view). So we think the cause is with AWS, but they also do not see a BGP update and VPN tunnels are up-and-running for several days.
So a short summary:
- No BGP updates or route changes shown in logs.
- VPN tunnel stable for many day.
- AWS and customer are seeing the same issue. Traffic uses both VPN tunnels.
I have a case open with Check Point support, but for now they are telling us to look at AWS.
Has anyone seen this kind of behavior in the field? What can we do to investigate and solve this issue?
Thanks for the help.
Regards,
Martijn.