AWS VPN Configuration: Troubleshooting Traffic Drops

Probable Reason for Traffic Drops from AWS Subnet Instances to On-Premises Location

Prev Question Next Question

Question

You currently have set up a VPN configuration from your on-premises location to AWS.

Your AWS VPC has a CIDR of 10.0.0.0/16 and a subnet of 10.0.1.0/24

Your on-premises location has a network CIDR block of 10.0.37.0/24

The traffic is being dropped when it is being sent from the subnet instances to your on-premises location.

Why could this be the most probable reason in this case?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

Such an example is given in the AWS Documentation.

Connections with Your Local Network and Other VPCs.

You can optionally set up a connection between your VPC and your corporate or home network.

If you have an IPv4 address prefix in your VPC that overlaps with one of your networks' prefixes, any traffic to the network's prefix is dropped.

For example, let's say that you have the following:

A VPC with CIDR block 10.0.0.0/16

A subnet in that VPC with CIDR block 10.0.1.0/24

Instances running in that subnet with IP address 10.0.1.4 and 10.0.1.5

On-premises host networks using CIDR blocks 10.0.37.0/24

When those instances in the VPC try to talk to hosts in the 10.0.37.0/24 address space, the traffic is dropped because 10.0.37.0/24 is part of the larger prefix assigned to the VPC (10.0.0.0/16).

Options A, C, and D are incorrect as there are no suggestions on the type of traffic being sent.

For more information on VPC and Subnets, please refer to the below URL.

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

The most probable reason for traffic being dropped when it is being sent from the subnet instances to your on-premises location, given the information provided, is an overlap in prefixes. The VPC CIDR block and the on-premises network CIDR block are both using the same private IP address range of 10.0.0.0/8, which could lead to routing issues.

When traffic is sent from an instance in the subnet to a destination outside of the VPC, it goes through the Virtual Private Gateway (VGW) attached to the VPC, which forwards it to the VPN connection. The VPN connection then sends the traffic over the Internet to the customer gateway (CGW) at the on-premises location. If the routing tables for the VPC and the on-premises network have overlapping IP address ranges, the traffic may be routed incorrectly or dropped.

Setting Enhanced Networking on the instances can improve network performance by offloading some network processing to the network interface card (NIC), but it is unlikely to be the cause of traffic being dropped.

The "Do not fragment" setting in the IP header is used to prevent packets from being fragmented during transmission, but it should not affect the routing of traffic between the VPC and the on-premises network.

MTU (Maximum Transmission Unit) is the largest size of a single packet that can be transmitted over a network. If the MTU is too large, packets may be fragmented or dropped. However, this is unlikely to be the cause of traffic being dropped in this scenario.

Therefore, the most probable reason is an overlap in prefixes between the VPC CIDR block and the on-premises network CIDR block. To resolve this issue, the CIDR block for either the VPC or the on-premises network should be changed so that they do not overlap.