How do I troubleshoot layer 2 issues in Direct Connect?

Resolution

Note: For layer 1 issues, see How do I troubleshoot layer 1 issues in Direct Connect? For layer 3 issues, see How do I troubleshoot layer 3 issues in Direct Connect?

If your Direct Connect connection is UP, then complete the following steps.

Check the OSI layer 2 configuration on your edge device or router

To resolve Open Systems Interconnection (OSI) layer 2 issues, take the following actions:

• Configure the correct VLAN ID with dot1Q encapsulation on your device, such as a router or switch.
• Make sure that the configuration of the peer IP addresses is identical on your device and in the Direct Connect console.
• Make sure that you configured all the intermediate devices along the path for dot1Q VLAN tagging. You must keep the correct VLAN ID and VLAN-tagged traffic on the AWS side of the Direct Connect device.
  Note: Some network providers use Q-in-Q tagging that can alter your tagged VLAN. Direct Connect doesn't support Q-in-Q tagging. VLAN translation might also change the VLAN tag that can cause Address Resolution Protocol (ARP) not to establish.
• Make sure that your device learns the media access control (MAC) address of the Direct Connect device for the configured VLAN ID from the ARP table.
• Check whether your device can ping the Amazon peer IP address from your peer IP address.

Check the IP address and subnet mask

Confirm that your IP address and subnet mask correctly work on the sub-interface.

Review ARP entries and ARP counters

Make sure that the correct sub-interface on your gateway learns the ARP entry for the Direct Connect endpoint. If the ARP entry for the Direct Connect endpoint isn't on your gateway device, then it isn't learning the Direct Connect endpoint MAC address.

Check output and input packet counters on the gateway interface that's connected to your Direct Connect connection for the following scenarios:

• If output packets increase but input packets don't increase, then your gateway device isn't receiving the ARP requests from AWS.
• If input packets increase and output packets don't increase, then your gateway isn't responding to ARP requests from the Direct Connect endpoint.
• If input and output packets don't increase, then there might be a VLAN mismatch or your connection might be receiving untagged frames.

Check your VLAN configurations

Confirm that you set up the following VLAN configurations:

• You installed your VLAN ID in the database on your gateway device.
• You configured the immediate uplink to AWS as a trunk. If the immediate uplink is a trunk, then confirm that you allowed the correct VLAN over the trunk port.
• Your gateway device or intermediate devices don't use VLAN.
• You didn't turn on media access control security (MACsec) for intermediate hops.

To resolve VLAN issues, take the following actions:

• Clear the ARP table and ARP cache on your gateway device.
• Run the debug arp command for the ARP on your gateway device.
• Perform a packet capture on the immediate layer 2 device that uplinks to your Direct Connect endpoint.
• Check that AWS receives the FF:FF:FF:FF:FF:FF ARP broadcast MAC address with the correct 802.1Q encapsulation and VLAN tag.

Related information

Troubleshoot layer 2 (data link) issues