Site 2 Site VPN Using Customer Gateway and Virtual Private Gateway and Dynamic Routing (BGP)

Given that your BGP neighbor status is fluctuating between 'active' and 'connect', it suggests there may be an issue with the underlying VPN connection stability, incorrect BGP configuration (such as incorrect AS numbers, IP addresses, or neighbor configurations), or network reachability issues.

Ensure all configurations, especially those related to neighbor setup and static network advertisements, are correct.

Supported links:

• https://www.draytek.com/support/knowledge-base/5316
• https://www.draytek.co.uk/support/guides/kb-bgp-setup
• https://www.draytek.com/support/knowledge-base/5316
• https://www.draytek.co.uk/support/guides/kb-bgp-setup

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!

Hello Tim,

If your BGP session is failing at Connect state, it means that your peers are unable to complete the TCP handshake. BGP works on TCP port 179. You need to ensure your CGW has rules to allow TCP connection to and from port 179 and ephemeral to complete the handshake. See here for a good guide on troubleshooting BGP sessions. https://repost.aws/articles/ARIKYhXEYyQQqtO2ulKERrbw/bgp-negotiation-over-aws-site-to-site-vpn-and-direct-connect-troubleshooting-strategies-for-efficient-networking

To add on to the comments above, if IPSec is UP but BGP is down it could be that connectivity between the inside tunnel interfaces (169.254.x.x/30 addresses) is failing. You can confirm this by pinging the AWS side inside tunnel IP address. If that fails please confirm that the 169.254.x.x/30 range is part of the phase 2 traffic selectors.