AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 354

A company installed an AWS Site-to-Site VPN and configured it to use two tunnels. The company has learned that the VPN connectivity is unstable. During a ping test from the on-premises data center to AWS, a network engineer notices that the first few ICMP replies time out but that subsequent requests are successful.
The AWS Management Console shows that the status for both tunnels last changed at the same time the ping responses were successfully received.
Which steps should the network engineer take to resolve the instability? (Choose two.)

Answer options

• A. Enable dead peer detection (DPD) on the customer gateway device.
• B. Change the tunnel configuration to active/standby on the virtual private gateway.
• C. Use AS PATH prepending on one path to cause all traffic to prefer that tunnel.
• D. Send ICMP requests to an instance in the VPC every 5 seconds from the on-premises network.
• E. Use a higher multi-exit discriminator (MED) value on the preferred path to prefer that tunnel.

Correct answer: A, D

Explanation

Enabling Dead Peer Detection (DPD) on the customer gateway ensures that the device can quickly detect when a tunnel goes down and steer traffic appropriately. Sending continuous ICMP requests from the on-premises network to AWS keeps the VPN tunnel active, preventing it from being torn down due to idle timeouts which caused the initial ping drops. Other options like manually changing the virtual private gateway to active/standby or using a higher MED (which actually de-prioritizes a path) do not resolve the idle timeout issue.