Wednesday, February 28, 2018

VPN site-to-stite with AWS, traffic flapping

Hey guys,

We have an ASA firewall that's been upgraded to 9.9(1) recently. We also have a site to site VPN set up between our on-premises environment and AWS.

All was working fine, but since the ASA upgrade we experience network hiccups (flapping traffic). From an EC2 instance, I am currently able to ping an on-premises server but it could be that 5 minutes later the ping times out. The VPN tunnel stays on as far as I can tell.

The other weird thing is that while i can ping from the EC2 server to a DNS/DC server on-prem, all DNS lookups fail. So even though the VPN tunnel is ON and ping works, i get a time out trying to get a dns lookup. Even weirder is that the DNS lookup was working 5 minutes ago.

I have installed MS Network Analyser on the 2 boxes but couldn't find anything other than the DNS queries are sent but are not reaching the server from time to time.

I am sysadmin, so I have very basic knowledge of ASA and VPNs protocols, I have asked a colleague who's on vacation so I got a succinct reply: Please verify the AWS supportpages if there's any change to the encryption methodology, possibly some of the preferred ciphers got decommissioned at the time of the ASA upgrade.

As far as I can tell the minimum requirements for AWS are IKEv1, AES128, SHA1, and DH Group 2

This is what it looks like on our ASA:

https://i.imgur.com/isGwmTq.png

https://i.imgur.com/nNQoiZR.png

https://i.imgur.com/J2v0b4G.png



No comments:

Post a Comment