Unable to ping remote side of Cisco VTI tunnel or establish BGP session

I have set up two tunnels between AWS and a Cisco ASA using VTI and dynamic routing. The tunnel interfaces come up/up and the AWS console shows that IPSEC is UP. BGP debugging shows 'BGP: <AWS tunnel ip> open failed: Connection refused by remote host'. I'm unable to ping the AWS tunnel IPs. I can ping the AWS tunnel IPs on other ASAs connected to other VPCs. I've deleted the Site-to-Site tunnel and recreated it with the same results. Any ideas on how to resolve this?

Argomenti

Networking e distribuzione di contenuti

Tag

Amazon VPC Networking e distribuzione di contenuti

Lingua

English

PWarren

posta 9 mesi fa402 visualizzazioni

1 Risposta

Più recenti
Maggior numero di voti
Maggior numero di commenti

Queste risposte sono utili? Dai un voto positivo alla risposta corretta per aiutare la community a trarre vantaggio dalle tue conoscenze.

Check the BGP configuration on your customer gateway device and make sure the IP addresses and Autonomous System Numbers (ASN) of the local and remote BGP peers must be configured with the downloaded VPN configuration file.

Matt_E

con risposta 9 mesi fa

PWarren
9 mesi fa
Yes, the ASNs and addresses are configured as they are shown in the downloaded config.
Matt_E
9 mesi fa

On the Cisco ASA, modify the traffic selector (encryption domain) to 0.0.0.0/0 to both the local and remote CIDRs, and that will include the inside tunnel IP addresses 169.254.X.X

AWS is a route-based VPN and only supports a single security associations SA. When you modify the traffic selector to 0.0.0.0/0 on the Cisco ASA this will make sure you have a single SA.

On the AWS side, make sure the "Local IPv4 network CIDR" and "Remote IPv4 network CIDR" are at their default 0.0.0.0/0, this config can be found by choosing the VPN and then "Modify VPN connection options".

https://repost.aws/knowledge-center/vpn-connection-instability

Contenuto pertinente

Come faccio a utilizzare un BGP dinamico per creare un tunnel VPN tra AWS e Oracle Cloud Infrastructure?
AWS UFFICIALEAggiornata un anno fa
Come faccio a correggere l'errore "Unable to validate the following destination configurations" in AWS CloudFormation?
AWS UFFICIALEAggiornata 2 anni fa
Come posso risolvere l'errore di CloudFormation "Unable to assume role and validate" quando avvio una risorsa Amazon ECS?
AWS UFFICIALEAggiornata 4 mesi fa
Come posso ottenere il routing ECMP con più tunnel VPN sito-sito associati a un gateway di transito?
AWS UFFICIALEAggiornata un anno fa