Thanks Stonefury for your comments but I am not quiet sure what you're saying, Can you please phrase it in a simple terms? Thanks and I appreciate your help.

Not sure how familiar you are with the site-to-site tunnels, but the tunnel to the AWS VPN will tear down if no traffic is coming from behind your cisco router.

One option is to ping from a machine at your business location to an EC2 instance once the VPN is established.

When I create an EC2 instance, I get a public and a private (local) IP address for that instance. Let's just say 54.x.x.x and the local IP is 10.0.x.x.

From a machine behind the cisco router, just do:

ping 10.0.x.x

Assuming your tunnel is up, the ping will work, correct?  Leave the ping running and see if your tunnel stays up permanently. 

Thank you for your quick respond.

Yes I've ping the machine on AWS cloud continuously but yet the tunnel is still dropping off.

I noticed that my Remote gateway is 54.240.204.91 but for some odd reason after an hour the tunnel drop off and it is trying to communicate with 54.240.204.92 .

Please see my attachment for more information. I thank you for your help.

Hello VAEGROUP01,

That is interesting that it drops the connection by itself in an hour. It would be interesting to get the answers for the questions below:

Is there a connection timeout limit set somewhere on any of the ends?

Is there a way you can see the logs at the time when its dropped?

Also, when you say that it is connected to xxx.91 and after dropping it tries to connect to x.x.x.92, is there a load balancer somewhere?

And does it ever successfully connect to x.x.x.92?

Regards,

Saji Thomas

Hi Saji,

I can not find connection timeout set on the Cisco router, however I've ticked " Keep Alive".

In about an hour it dropped because it is trying to connect to x.x.x.92. Come to think of it there is a WAN load balance, WAN1 set as primary.

It has never successfully connect to x.x.x.92 , it normally reconnect itself after 10 sec to 2 mins.

Someone suggested that I should look for AWS Fully Qualified name for dynamic remote gateway IP address of x.x.x.91 and x.x.x.92. What do you think?

Thanks for your help.

As Stonefury said, "the tunnel to the AWS VPN will tear down if no traffic is coming from behind your cisco router." Did you check with AWS support if that is correct?

Also, check if there is any AWS related FQDN that points to the x.x.x.91/92 IP address (like a load balancer or something). And I am sure that their is something related to the 1 hour time mystery as it always disconnects .91 after one hour and never connects to .92.

Not sure if Amazon will let you do it but is it possible that you can create something like a static connection to that .91 IP. Also continuously ping (-t) the .91 IP so that something trying to keep it alive.   

Thanks! Saji