How do I troubleshoot a failed BGP connection between Site-to-Site VPN and Direct Connect?

3 minutos de lectura
0

My Border Gateway Protocol (BGP) session can't establish a connection between my AWS Site-to-Site VPN and AWS Direct Connect.

Resolution

To troubleshoot a failed BGP connection between Site-to-Site VPN and Direct Connect, take the following actions.

Check the connection between Direct Connect and Site-to-Site VPN

Complete the following steps:

  1. Check whether the Direct Connect connection is Available and UP.
  2. Check whether the virtual interface is UP.
  3. If the connection uses a public or transit virtual interface, then verify that the BGP peer IP addresses are within the specified CIDR range.
  4. Verify that the VPN tunnels are UP and that they share BGP routes.
  5. If the tunnels are UP but the BGP is DOWN, then troubleshoot the Site-to-Site VPN connection.

Verify the number of routes

Important: 100 is the maximum number of routes that a BGP session supports. If the number of routes exceeds the quota, then the BGP's status changes from Established to Idle. For more information, see Troubleshooting AWS Site-to-Site VPN customer gateway device.

On the customer gateway, verify that fewer than 100 routes are advertised over the BGP session. If the number of routes exceeds the quota, then take one of the following actions:

Check the BGP configuration and status

Take the following actions:

  • If the BGP's status is DOWN, then verify that the virtual interface's status is UP.
  • If the virtual interface is DOWN, then make sure that Open Systems Integration layer 2 and BGP are correctly configured.
  • If the BGP is flapping or its status changes from UP to DOWN in the idle state, then troubleshoot the Direct Connect connection.
    Note: Make sure that layers 1 and 2 establish connections. If the layers establish a connection but BGP is flapping, then troubleshoot the BGP session.
  • If the connection is hosted, then check with the host provider whether they're experiencing issues that are preventing the BGP connection.
  • If BGP's status is UP, then verify that the routes propagate.

Verify that the routes propagate

On the transit gateway and virtual private cloud (VPC) route tables, verify that the routes propagate from the customer gateway to the virtual interface on AWS. If the routes don't propagate correctly, then reconfigure the route tables.

Check the customer gateway device's configurations

Complete the following steps:

  1. On the customer gateway device's route table, verify that the routes propagate through BGP.
  2. Make sure that the customer gateway device's firewalls allow inbound and outbound traffic.
  3. Confirm that the BGP community tags are configured correctly.
  4. If the Direct Connect connection has a partner or last-mile service provider, then verify with them that a maintenance event doesn't coincide with the failed connection.

Use VPC Flow Logs to monitor traffic

Use Amazon Virtual Private Cloud (Amazon VPC) Flow Logs and Transit Gateway Flow Logs to monitor traffic over Direct Connect. Monitor logs for timestamps that correspond with your error to identify where traffic is rejected or dropped.

Related information

AWS Site-to-Site VPN customer gateway devices

OFICIAL DE AWS
OFICIAL DE AWSActualizada hace 3 meses