Home / Network Security / Site-to-Site VPN Connection Dropped - Tunnel Down

Network Security

Site-to-Site VPN Connection Dropped - Tunnel Down

Site-to-site VPN tunnel drops due to IKE negotiation failures, expired pre-shared keys, or network changes.

Yesterday2 min read

Illustration of network security diagnostics.

Introduction Site-to-site VPN connections that drop break cross-datacenter communication, causing service outages between connected networks. VPN tunnels can drop due to configuration changes, key expiration, or network issues.

Symptoms - VPN tunnel status: "DOWN" in firewall/VPN device - Traffic between sites timing out - IKE negotiation failing in logs - Error: "Phase 1 negotiation failed" - VPN was working but suddenly dropped

Common Causes - Pre-shared key mismatch after rotation - IKE proposal parameters changed (encryption, DH group) - Network path change causing MTU issues - Dead Peer Detection (DPD) not detecting tunnel failure - NAT traversal configuration changed

Step-by-Step Fix 1. **Check VPN tunnel status': ```bash # Cisco ASA show vpn-sessiondb l2l # Strongswan ipsec status # AWS VPN aws ec2 describe-vpn-connections --vpn-connection-id vpn-xxx ```

1.**Check IKE logs':
2.```bash
3.# Strongswan
4.ipsec whack --logging-level 4
5.# Check firewall VPN logs
6.`
7.**Restart the VPN tunnel':
8.```bash
9.ipsec restart
10.# Or through cloud provider console
11.`

Prevention - Monitor VPN tunnel status with alerts - Use certificate-based authentication instead of PSK - Configure Dead Peer Detection (DPD) with appropriate intervals - Document VPN configuration on both sides - Test VPN failover regularly