Skip to main content
(Optional) How to verify that your AWS-Orka VPN tunnel works as expected: check security associations, tunnel status and traffic between Orka and AWS.

You need:

  • Active VPN connection to your Orka cluster.
  • Your Cisco ASAv connection information from the IP Plan.
This part of the workflow is optional.

Verify that there is an ISAKMP security association between the peers

  1. Run Cisco ASDM-IDM and log in to your firewall.
  2. In the Cisco ASDM-IDM application toolbar, select Tools > Command Line Interface….
79b3129-cisco-asdm-tools-menu (1).png
  1. Select Single Line , enter the following command, and click Send.
show crypto isakmp sa


If the site-to-site VPN connection is configured properly, you should see information about an active IKEv1. For example:


Result of the command: "show crypto isakmp sa"


IKEv1 SAs:  
  
Active SA: 1  
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)  
Total IKE SA: 1  
  
1 IKE Peer: ...  
Type : L2L Role : initiator   
Rekey : no State : MM_ACTIVE  
  
There are no IKEv2 SAs

Verify that there is an IPsec security association between peers

  1. Run Cisco ASDM-IDM and log in to your firewall.
  2. In the Cisco ASDM-IDM application toolbar, select Tools > Command Line Interface….
9623829-cisco-asdm-tools-menu (1).png
  1. Select Single Line , enter the following command, and click Send.
show crypto ipsec sa
If the site-to-site VPN connection is configured properly, you should see a detailed log. For example: 
Result of the command: "show crypto ipsec sa"  
  
interface: Outside  
Crypto map tag: amzn_vpn_map_1, seq num: 1, local addr: ...  
  
access-list acl-amzn extended permit ip any ...   
local ident (addr/mask/prot/port): ...  
remote ident (addr/mask/prot/port): ...  
current_peer: ...  
  
  
....  
  
inbound esp sas:  
...  
outbound esp sas:  
...

Verify that the tunnel is up

Currently, Amazon lets you create a site-to-site VPN where at all times one tunnel is active (up) and one is passive (down). A monitoring service checks frequently if the active tunnel is up and, if not, brings the passive tunnel up instead. This ensures minimal downtime.
  1. Log in to your AWS Management Console and access your VPC service. In the top right corner of the screen, make sure that you’re working in the correct region.
  2. In the sidebar, locate the Virtual Private Network menu and select Site-to-Site VPN Connections.
3e74cce-select-vpn.png
  1. Select your VPN from the list and inspect the details at the bottom of the screen.
  2. Click Tunnel Details and verify that one of the tunnels is up.
fe0edbf-vpn-tunnel-up.png

Test traffic and visibility through the tunnel

Amazon VPC Documentation: How to Test the Customer Gateway Configuration