Resolve AWS Site-to-Site VPN parameter discrepancies during rekeying. Learn how to troubleshoot VPN connections for secure and consistent encryption parameters.
Table of Contents
Question
A network engineer needs to build an encrypted connection between an on-premises data center and a VPC. The network engineer attaches the VPC to a virtual private gateway and sets up an AWS Site-to-Site VPN connection. The VPN tunnel is UP after configuration and is working. However, during rekey for phase 2 of the VPN negotiation, the customer gateway device is receiving different parameters than the parameters that the device is configured to support.
The network engineer checks the IPsec configuration of the VPN tunnel. The network engineer notices that the customer gateway device is configured with the most secure encryption algorithms that the AWS Site-to-Site VPN configuration file provides.
What should the network engineer do to troubleshoot and correct the issue?
A. Check the native virtual private gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the virtual private gateway requires.
B. Check the native customer gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.
C. Check Amazon CloudWatch logs of the virtual private gateway. Restrict the VPN tunnel options to the specific VPN parameters that the virtual private gateway requires.
D. Check Amazon CloudWatch logs of the customer gateway. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.
Answer
B. Check the native customer gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.
Explanation
The correct troubleshooting step to address the discrepancy in VPN parameters received during phase 2 rekeying is Option B: Check the native customer gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.
By inspecting the logs on the customer gateway device, the engineer can identify the parameters that are being received during the rekeying phase. This information allows for alignment of the customer gateway’s configuration to support the specific encryption algorithms and parameters communicated by the AWS Site-to-Site VPN configuration.
Restricting the VPN tunnel options on the customer gateway to match the expected parameters ensures compatibility and successful negotiation during the rekeying process, resolving the issue of receiving different parameters than configured.
AWS Certified Advanced Networking – Specialty ANS-C01 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.