How do I troubleshooting SimpleConnect Issues?

Running into issues with eero SimpleConnect? Don't worry—we've got you covered. Here's how to troubleshoot the most common problems.

Before you start troubleshooting

Make sure you've checked off these basics:

• Your network is eero for Business
• You're using eero PoE Gateway at your remote sites
• You have an IP plan for all your network sites
• SimpleConnect is enabled for your organization
• Your Transit Gateway (TGW) or Cloud WAN is configured in your AWS account

SimpleConnect is configured, but traffic isn't passing through

If you've set everything up but traffic still isn't flowing, here's what to check:

1. Review your AWS Network ACL rules and Security Groups

Your AWS Network Access Control Lists (ACLs) and Security Groups control what traffic can flow through your network. Make sure they're configured to allow the traffic you need.

2. Check that ICMP is allowed for PING testing

ICMP (Internet Control Message Protocol) lets you test connectivity with PING. If ICMP isn't allowed, you won't be able to test whether your connection is working.

3. Verify your VPN tunnels are established

Your Site-to-Site VPN needs active tunnels to pass traffic. Check your VPN tunnel status in eero Insight to make sure they're up and running.

4. Look for overlapping routes

If you have routes that overlap between your local network and AWS, traffic won't know where to go. Review your routing tables to make sure each route is unique.

5. Ensure BGP is configured with non-conflicting ASNs

If you're using BGP (Border Gateway Protocol) for routing, make sure your Autonomous System Numbers (ASNs) don't conflict with each other. Each ASN needs to be unique.

Issues with Transit Gateway or Cloud WAN

Transit Gateway problems:

1. Check that your routes are in the correct route table
   Your Transit Gateway uses route tables to direct traffic. Make sure your routes are in the right table for your setup.
2. Add a return route from your VPCs to remote resources
   Traffic needs to know how to get back to where it came from. Verify that you've added return routes from your Virtual Private Clouds (VPCs) to your remote resources.

1. Verify you've selected the required subnets in SimpleConnect settings
   Double-check that you've selected all the subnets you need in your SimpleConnect configuration.

Cloud WAN problems:

1. Verify your Cloud WAN policies place sites in the desired segment
   Cloud WAN uses policies to organize your sites into segments. Make sure your policies are routing sites to the right segments.

1. Check that your Core Network Policy includes the VPN tag
   Your Core Network Policy needs to include the VPN tag for SimpleConnect to work properly. Review your policy to confirm it's there.

SimpleConnect can only access AWS resources (can't reach the internet)

If you can reach AWS resources but nothing else, check your Split Tunneling configuration:

1. Review your Split Tunneling settings
   Split Tunneling lets you define which traffic goes through the VPN and which goes directly to the internet. Make sure your CIDR blocks are configured correctly.
2. Verify routes via NAT Gateway and Internet Gateway exist
   For internet access, you'll need routes through your NAT Gateway (for private subnets) or Internet Gateway (for public subnets). Check that these routes are in place.

Site-to-Site VPN tunnels are down

If your VPN tunnels keep going down, the problem might be with your authentication method:

PSK (Pre-Shared Key) authentication issue:
When you use PSK authentication, your VPN tunnel is tied to your site's IP address. If your ISP changes your IP address, the tunnel will fail.

Solution: Consider switching to certificate-based authentication instead. Certificates aren't tied to IP addresses, so they'll keep working even if your IP changes. To use certificate-based authentication, you will need to use a private certificate from AWS Private Certificate Authority (CA) to authenticate your VPN.

1. Create a private certificate from a subordinate CA using AWS Private Certificate Authority (AWS Private CA)
2. Create a service-linked role to generate and use the certificate for the AWS side of the Site-to-Site VPN tunnel endpoint.

AWS will not check the IP address of your customer’s gateway if you do not specify, allowing the customer to move their gateway to another IP address without needing to reconfigure their VPN.

Still need help?

If you've tried these troubleshooting steps and you're still having issues, we're here to help. Contact eero support, and we'll work with you to get SimpleConnect up and running.