Cause: Two or more VPN tunnels with overlapping encryption domains are accessing the same host(s). The VPN Gateway flags the packet as VPN, but is unable to decide, to which tunnel to send the VPN traffic because the source and destination criteria would match to more than one tunnel.

China Plus Beginning of dialog window. Escape will cancel and close the window. I'm trying to establish a VPN Tunnel with a remote site. The engineer at the remote site wanted to know what was the Encryption Domain. That is correct , encryption domain must match at both ends, if your side or other side changes network IDs pertaining to that particular tunnel policy both ends must update the access list accordingly in order for the vpn tunnel to successfully come up when sending traffic between the two networks.

For example, if you are using policy-based routing, verify that you have correctly defined the source and destination networks in your encryption domain to one single Security Association (SA). Likewise, if your VPN tunnels are route-based, confirm that you have correctly configured one single route pair (inbound/outbound) in your Phase 2 IPSEC SA.

AWS Client VPN is a fully-managed, elastic VPN service that automatically scales up or down based on user demand. Because it is a cloud VPN solution, you don’t need to install and manage hardware or software-based solutions, or try to estimate how many remote users to support at one time.

The main difference with a route based VPN is that a tunnel interface (VTI) is created and assigned to your external interface. Any traffic that you wish to encrypt is routed to this tunnel interface. Access to and from the VPN is then controlled via the use of a policy. Encryption Domain

Alternatively, you can change your split-tunnel-policy to "tunnelall" in order to send all traffic (including Internet traffic!) over the tunnel, however you will need to make some more changes then to allow the Internet traffic to make a U-turn at the ASA, see e.g. AnyConnect VPN Client U-turning Configuration Examples Re-validate the encryption domain (Local and Remote subnet in the vpn) both end should have identical match and exact CIDR. Re-check the Phase-1 and Phase-2 Lifetime settings at both ends of the tunnel ( Phase-1 life time should be higher than Phase-2 ) AWS Client VPN is a fully-managed, elastic VPN service that automatically scales up or down based on user demand. Because it is a cloud VPN solution, you don’t need to install and manage hardware or software-based solutions, or try to estimate how many remote users to support at one time. For example, if you are using policy-based routing, verify that you have correctly defined the source and destination networks in your encryption domain to one single Security Association (SA). Likewise, if your VPN tunnels are route-based, confirm that you have correctly configured one single route pair (inbound/outbound) in your Phase 2 IPSEC SA.