Unable to ping remote side of Cisco VTI tunnel or establish BGP session

I have set up two tunnels between AWS and a Cisco ASA using VTI and dynamic routing. The tunnel interfaces come up/up and the AWS console shows that IPSEC is UP. BGP debugging shows 'BGP: <AWS tunnel ip> open failed: Connection refused by remote host'. I'm unable to ping the AWS tunnel IPs. I can ping the AWS tunnel IPs on other ASAs connected to other VPCs. I've deleted the Site-to-Site tunnel and recreated it with the same results. Any ideas on how to resolve this?

トピック

ネットワークとコンテンツ配信

タグ

Amazon VPC ネットワークとコンテンツ配信

言語

English

PWarren

質問済み 9ヶ月前402ビュー

1回答

新しい順
投票が多い順
コメントが多い順

これらの回答は役に立ちましたか？コミュニティがあなたの知識を活用できるように、正解に賛成票を投じてください。

Check the BGP configuration on your customer gateway device and make sure the IP addresses and Autonomous System Numbers (ASN) of the local and remote BGP peers must be configured with the downloaded VPN configuration file.

Matt_E

回答済み 9ヶ月前

PWarren
9ヶ月前
Yes, the ASNs and addresses are configured as they are shown in the downloaded config.
Matt_E
9ヶ月前

On the Cisco ASA, modify the traffic selector (encryption domain) to 0.0.0.0/0 to both the local and remote CIDRs, and that will include the inside tunnel IP addresses 169.254.X.X

AWS is a route-based VPN and only supports a single security associations SA. When you modify the traffic selector to 0.0.0.0/0 on the Cisco ASA this will make sure you have a single SA.

On the AWS side, make sure the "Local IPv4 network CIDR" and "Remote IPv4 network CIDR" are at their default 0.0.0.0/0, this config can be found by choosing the VPN and then "Modify VPN connection options".

https://repost.aws/knowledge-center/vpn-connection-instability

Unable to ping remote side of Cisco VTI tunnel or establish BGP session

関連するコンテンツ