Unable to Access AWS EC2 Resources over Site-to-Site VPN
We have a site-to-site VPN setup between our VPC (vpc-6d9c8505, 172.31.0.0/16) and our office network (10.253.1.0/24) using a SonicWall TZ-400. The SonicWall shows both tunnels up, I can ping our EC2 instances, but can't RDP into them. I can also ping from the EC2 server to local resources, but can't access them (ie. pings my printer, but can't print to it). RDP and accessing network shares DOES work using the Client VPN Endpoint (via OpenVPN)
Note: This WAS working prior to us trying to replace our old unmanaged switch between the SonicWall and the office LAN with the TP-Link. Now, even if I put the unmanaged switch back in place, it still fails. Since the VPN client works, it fails with both switches, and security is completely open on the AWS side, the only thing I'm really left with is the SonicWall.
Tried so far:
Added an Allow All 0.0.0.0/0 rule to our AWS Security Group and Allow All in ACLs. All incoming/outgoing is currently open on the AWS VPC side.
RDP works over the VPN client, but not the site-to-site VPN, which should rule out RDP itself being blocked at my PC or the EC2 server
Ping and Tracert from PC to EC2 are successful, RDP and telnet over 3389 fail (site-to-site VPN only) in both directions. Printing from EC2 Instance to office printer also fails, so it's not specific to 3389.
Verizon Router (192.168.1.1 internal, 96.x.x.x public)
Site-to-site VPN to AWS Resources
TP-Link T1600G-28PS Switch
No VLANs, QoS, Security configured. Aside from changing the interface from the default 192.168.0.1, it's as unmanaged as it can get out of the box
Office Network (10.253.1.0/24)
Welcome to SonicWall community.
I would suggest performing a packet capture to understand how the packets are being processed on the firewall and if any configuration changes are required.
Since, AWS usually asks for two simultaneous VPN connections, please check if the traffic is going through one and returning through the other. To support that we would need to enable asymmetric routing on the VPN tunnel interfaces created under MANAGE | Network | Interfaces section.
Let us know what you find.
Technical Support Advisor, Premier Services
Thanks for the quick response.
The two VPN tunnels do show outgoing on one, incoming on the other with traffic on both. Packet Capture at the SonicWall shows the incoming packets from the cloud server to my PC over 3389 being dropped.
Full capture is attached.
Ether Type: IP(0x800), Src=[20:c0:47:15:ff:00], Dst=[18:b1:69:05:e2:f1]
IP Packet Header
IP Type: TCP(0x6), Src=[172.31.35.60], Dst=[10.253.1.110]
TCP Packet Header
TCP Flags = [SYN,ACK,], Src=, Dst=, Checksum=0x9951
DROPPED, Drop Code: 736(Packet dropped -
cache add cleanup drop the pkt), Module Id: 25(network), (Ref.Id: _2205_ecejgCffEngcpwr) 2:2)