Applies to: Seclore Cloud VPN
Error: Peer is not responsive - Declaring peer dead (DPD issue) or Keep Alive Method issue:
Cause 1: Peer inactive.
When the other side of your VPN connection (the peer) doesn't respond to three consecutive DPD (Dead Peer Detection) messages, it's seen as inactive. In this situation, AWS will disconnect the tunnels because it thinks the peer isn't working.
Solution 1:
- To keep the tunnel up, ensure constant interesting traffic is generated within the tunnel from the customer end within a specific interval, or DPD should be enabled, and ensure the customer device acknowledges DPD messages sent by AWS Seclore VPN.
- Make sure that the CGW (Customer Gateway Device) is not too busy to respond to the DPD messages from AWS.
- Here's an important tip: You can try pinging one of the IPs listed below from your target LDAP machine. If one of these IPs responds, configure that specific IP to send ICMP packets. This way, you'll have important traffic going through the tunnel.
| For India region customers, please send ICMP packets to below IPs | For US region customers, please send ICMP packets to below IPs |
10.220.23.100 | 10.20.21.11 |
10.123.64.100 | 10.20.21.12 |
100.64.1.100 |
|
- Please ping the above IPs to verify that everything is operating as intended. One of the above IPs should be reachable; set that IP up to send ICMP packets so that there is interesting traffic within the tunnel.
If you wish to generate this traffic, you can use the sample script below to create ICMP packets inside your VPN tunnels:
Script to generate ICMP packets inside VPN tunnels
-----------------------------------------------------------------------------------------------------------------------
Cause 2: Change in tunnel configuration.
If your VPN tunnels are disrupted because you've changed the configuration on your end, or they just won't connect even after you've sent ICMP packets from the AD machine, there could be a configuration issue.
Solution 2:
Check if any changes have been made to the configuration of the VPN associated with Seclore.
Check the traceroute report to see if traffic is flowing out from the customer's gateway to Seclore Gateway.
Make sure the tunnel is working properly. Check if IPSec Phases 1 and 2 are active and functioning.
Check if the Traffic is Routing from the same Gateway IP that is shared with Seclore. If needed, get in touch with Seclore Support to verify this.
Examine if any IPSec settings have been altered, such as the encryption algorithms for Phase 1 and Phase 2, the hash algorithm, the DH Group, PFS Secrecy, Lifetime, and so on. If changes were made, ensure they match exactly with the settings provided in the VPN configuration file shared by Seclore.
Double-check that the source and destination networks in the encryption domain or traffic selectors are configured correctly.
Verify the stability of your ISP's connection and ensure it's not frequently disconnecting and reconnecting (flapping).
Verify if your device supports asymmetric routing. If it doesn't, avoid using it.
Look into the VPN-related logs from the moment you encountered the problem. If needed, share these logs with your device's TAC team.
Other similar issues.
AWS tunnel received DELETE for Phase 2 SA with SPI: xxxx
Trouble Logging into PS Despite Working VPN
AWS tunnel detected a pre-shared key mismatch with cgw: xxxx
Need more help?
Contact Seclore Support
support@seclore.com | Chat Live