Trying to set up dial-on-demand on a LAN-LAN tunnel to Amazon AWS VPC gateway. If I leave the tunnel in "always-on" mode its fine.

Because AWS charge per connection hour and we need several branch offices to connect direct to VPC (all 2820 or 3200) we would prefer dial-on-demand.

I thought that the schedule option was right for this, however, i've set it to a specific start date (about a month ago) from 00:00 with duration 23:59, action is set to dial-on-demand and idle timeout is 0 (tried various numbers with no difference). How often is set to every day of week and weekends.

Our 3200 at the main office is on firmware 3.3.7.2 (latest). I have put the schedule ID in the VPN dial-out settings section under schedule.

What I expect is to leave it disconnected and from a shell, ping or ssh to a known working IP inside the VPC and it should connect automatically within a few seconds.

I have syslog enabled and no activity occurs.

Anyone had this issue or suggest where I might be going wrong?