Saltar al contenido
Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post
Acerca de re:Post

Ping fail over Tunnelless connect between Viptela8K ( EC2 ) and Cloud WAN

0

Hey All, I've set up a tunnel-less connect between a Viptela 8000V (EC2 instance) and AWS Cloud WAN. Route exchange is working correctly — both Viptela and Cloud WAN are learning each other’s prefixes via BGP.

However, I'm facing the following issue:

  • When I ping from on-prem to a Cloud WAN-attached VPC via Onprem Viptela > EU Viptela 8k > Cloud WAn, the ping fails.
  • When I ping from the Viptela EC2 instance, sourcing traffic from vrf 1, the ping succeeds — confirming that routes are present and reachability exists from that VRF.
  • Tracepath from on-prem shows the packet reaching the Viptela EC2's outside ENI, but it doesn’t go further.

I've verified the following:

  • Security Groups and NACLs are open and allow required traffic.
  • Cross-region communication in Cloud WAN is working as expected.
  • There is no firewall blocking on the VPC side or in Cloud WAN segments.

My assumption is that the traffic from on-prem is reaching the Viptela EC2, but is not being forwarded internally unless sourced from vrf 1. What could be the reason that on-prem traffic terminates at the outside interface of Viptela EC2 but does not get forwarded?

Temas
Redes y entrega de contenido
Etiquetas
AWS Cloud WAN
Idioma
English
preguntada hace 4 meses51 visualizaciones
1 Respuesta
0

Based on your description, the most likely issue is that the Source/Destination Check is still enabled on your Viptela 8000V EC2 instance.

When Source/Destination Check is enabled (which is the default setting for EC2 instances), AWS drops packets where the EC2 instance isn't the source or destination of the traffic. This prevents the instance from functioning as a router or forwarding traffic between networks.

Since your on-prem traffic is reaching the outside ENI of the Viptela EC2 but not being forwarded, while traffic sourced directly from the instance's VRF 1 works fine, this strongly indicates a Source/Destination Check issue.

To resolve this:

  1. Disable the Source/Destination Check on the Viptela 8000V EC2 instance's network interfaces
  2. This will allow the instance to forward traffic between your on-premises network and the Cloud WAN-attached VPCs

Disabling this check should not negatively impact any existing working traffic. It only removes restrictions rather than changing routing behavior. This is a standard configuration requirement for any EC2 instance that needs to function as a router, NAT device, or network appliance.

After making this change, monitor both your existing connections and the new Cloud WAN connectivity to ensure everything is working as expected.
Sources
Source/Destination Check on viptela 8000 ( EC2 instance ) | AWS re:Post
Ping Fail for scenario that EC2 Server2 ping VPN Interface IP in EC2 Server1 | AWS re:Post

respondido hace 4 meses
AWS
EXPERTO
revisado hace 4 meses
  • George Murimi EXPERTO
    hace 4 meses

    In addition to the above, please also verify the following:

    1. The routing configuration within the Viptela 8000V EC2 to ensure that packets received from on-prem are routed correctly to the Core Network
    2. Leverage VPC flow logs to determine whether traffic is forwarded out by the Viptela 8000V EC2.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Contenido relevante