AWS Site-to-Site VPN (Static, IKEv1) Drops Hourly

Select Language:

If you’re experiencing your AWS Site-to-Site VPN connection dropping and reconnecting approximately every hour, it’s understandable to feel frustrated. Here’s a simple step-by-step guide to help you troubleshoot and resolve the issue.

First, recognize that these disconnections often relate to configuration mismatches or timeout settings. While your Fortinet device appears to be functioning normally, there are potential issues on the AWS side that you should check.

Start by verifying the IKE and IPsec lifetime settings both on your Fortinet gateway and within your AWS VPN configuration. If the lifetimes are different, this can cause the tunnel to renegotiate frequently, leading to those hourly drops. Set both sides to the same duration, such as 8 hours (28,800 seconds), to minimize unnecessary renegotiations.

Next, review the Dead Peer Detection (DPD) settings. DPD helps identify when a peer is no longer responsive. If DPD is not enabled or misconfigured, it might contribute to dropped connections. Ensure DPD is enabled and configured with appropriate interval and retry settings on both ends.

Also, look into the rekey settings. If the VPN is configured to rekey more frequently than necessary, this could lead to disruptions. Adjust the rekey interval to match the lifetime settings, reducing unnecessary renegotiations.

From the AWS side, you can check your CloudWatch logs and CloudTrail records for any reported issues during these disconnection periods. Confirm whether there are any reported errors or warnings that correspond to the timing of the drops.

Finally, verify that your network paths are stable, and there are no intermediate firewalls or NAT devices interfering with the VPN traffic. Consistent and clean network connectivity simplifies troubleshooting.

By aligning the lifetime and rekey settings, ensuring proper DPD configuration, and monitoring logs for any anomalies, you can significantly reduce the chances of your VPN dropping every hour. If issues persist after these adjustments, consider reaching out to AWS support for more in-depth analysis tailored to your specific setup.