Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Can't ping AWS-side of the tunnel from on-premise router

0

Simple setup: VPC with public and private subnets, VPG, S2S VPN connection with an on-prem router, static routing. Downloaded config for the router (Cisco ISR 1921) from the VPN Connection page and successfully applied it. Now I have 2 tunnels to the VPC. And I want to set up SLAs to track tunnels state and modify the ISR route table accordingly. Tunnel 1: 169.254.1.6/30 Tunnel 2: 169.254.2.6/30

ip sla 100
 icmp-echo 169.254.1.5 source-interface Tunnel1
 threshold 1000
 timeout 1000
 frequency 5
ip sla schedule 100 life forever start-time now
ip sla 200
 icmp-echo 169.254.2.5 source-interface Tunnel2
 threshold 1000
 timeout 1000
 frequency 5
ip sla schedule 200 life forever start-time now

but I got timeout for both SLAs.

Tried to ping AWS-end form the router manually with the same result:

chd-r0-c1921#show ip route 169.254.1.5
Routing entry for 169.254.1.4/30
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Tunnel1
      Route metric is 0, traffic share count is 1
chd-r0-c1921#
chd-r0-c1921#
chd-r0-c1921#ping 169.254.1.5 source Tunnel1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.1.5, timeout is 2 seconds:
Packet sent with a source address of 169.254.1.6
.....
Success rate is 0 percent (0/5)
chd-r0-c1921#
Themen
Vernetzung & Bereitstellung von Inhalten
Tags
Amazon VPCAWS Virtuelles Privates Netzwerk (VPN)
Sprache
English
ivan-malich
gefragt vor 2 Jahren826 Aufrufe
2 Antworten
0

IP Addressing seems correct, are you able to confirm that the tunnels are indeed up? You should be able to ping them.

AWS
Timothy_M
beantwortet vor 2 Jahren
0

Yes, both tunnels are working. I've added a static route to the config:

ip route 10.110.0.0 255.255.0.0 Tunnel2

and now can successfully communicate between on-prem VMs and AWS instances (both private and public segments). Also, I can change the route to Tunnel1, and it works too. But I need to set up SLAs to automatically switch between tunnels. Checked one more time just now. Still no ping:

chd-r0-c1921#ping 169.254.2.5 source tunnel 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.2.5, timeout is 2 seconds:
Packet sent with a source address of 169.254.2.6
.....
Success rate is 0 percent (0/5)
chd-r0-c1921#ping 10.110.110.96
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.110.110.96, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
chd-r0-c1921#ping 10.110.110.96 sour
chd-r0-c1921#ping 10.110.110.96 source vlan 41
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.110.110.96, timeout is 2 seconds:
Packet sent with a source address of 10.100.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/67/72 ms
chd-r0-c1921#

https://i.imgur.com/KnWQEo2.png

ivan-malich
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt