Issue¶

My VPN tunnel is established, but things are still not working as expected. 

If you are having trouble establishing the tunnel to Acquia Cloud, see our troubleshooting tips: Tips for setting up a VPN Tunnel to your Acquia Cloud servers

Resolution¶

Rule out the following:

• SSH - Ensure you are using the proper SSH command when attempting to SSH. This will follow the pattern [sitegroup].[env]@[web-IP-address]
• Ports. Confirm your internal network ports are open. Confirm the listening port to be used within your internal network is set correctly. 
• IP overlap. Confirm that your internal private network and Acquia Shield VPC private network IP's are not overlapping, because overlapping subnets can cause routing issues over a VPN tunnel.
• Requirements for gateways. Confirm that the IPsec configuration internal to your device satisfies AWS requirements for customer gateways.
• Policy-based VPN. If your network is using a policy-based VPN, verify that you have correctly defined the source and destination networks in your encryption domain.
  • Acquia's tunnel endpoints will only accept a single SA Proposal if you are using a Policy-Based VPN, meaning your device can only reference one source and one destination for each tunnel. 
• Route-based VPN. If you are using a route-based VPN, confirm that you have correctly configured routes to your Acquia Shield VPC.
• More troubleshooting:
  • AWS also provides more detailed troubleshooting docs organized by gateway device here.
  • More general troubleshooting info can be found from AWS.

If you have checked the above information and it is correct, yet still need assistance, please provide the following troubleshooting information in a Support ticket:

• Ping between your internal network and a server within your Acquia Shield VPC.
  copy

  $ ping 52.29.81.245
  
  PING 52.29.81.245 (52.29.81.245): 56 data bytes
  
  64 bytes from 52.29.81.245: icmp_seq=0 ttl=39 time=174.301 ms
  
  64 bytes from 52.29.81.245: icmp_seq=1 ttl=39 time=177.961 ms
  
  64 bytes from 52.29.81.245: icmp_seq=2 ttl=39 time=174.609 ms
  
  
  --- 52.29.81.245 ping statistics ---
  
  3 packets transmitted, 3 packets received, 0.0% packet lossround-trip min/avg/max/stddev = 174.301/175.624/177.961/1.658 ms

  copy

• Attempt a traceroute from your network to a server within your Acquia Shield VPC.
• Confirm that traffic is not blocked by any firewall rules with your Network Administrator. If possible, disable all firewall rules for a brief period of time to test the connection. 
• Your VPN policy/configuration being used in your router/firewall.
• Any network error logs with a timestamp and relevant timezone information, if not in UTC.
• Screenshots of your configuration and/or network diagrams that you think may be helpful.