How do I troubleshoot connectivity issues when I try to ping the Direct Connect peer IP address?

Resolution

Failed ping between the customer gateway device and the AWS peer IP address

If the ping between the customer gateway device and AWS peer IP address fails, then complete the following tasks:

• Check the physical Direct Connect connection at the customer gateway device or in the Direct Connect console. If the physical link is DOWN, then see Troubleshooting layer 1 (physical) issues.
• Check that all peer IP address configurations are identical on the customer gateway device and Direct Connect virtual interface from the Direct Connect console.
• Check that the correct IP address and subnet mask are configured on the subinterface.
• Check that the correct VLAN encapsulation (802.1Q) and VLAN tag is being used.
• Confirm the source and destination IP addresses when the ping is initiated.
• Check that the ICMP protocol allows the inbound and outbound rules in the access control list (ACL) and security policies. These rules must be allowed for the customer gateway device and any intermediate devices.

If your ping still fails, then you might have layer 2 connectivity issues.

Troubleshoot layer 2 connectivity issues

If you have layer 2 connectivity issues, then complete the following tasks:

• Check if the ARP entry for the Direct Connect endpoint is being learned on the customer gateway end through the correct subinterface. If ARP entry for the Direct Connect endpoint isn't present at the customer gateway device, then it's not learning the Direct Connect endpoint MAC address.
• Check outgoing and incoming packet counters on the customer gateway interface connected to the Direct Connect connection. If output packets are increasing and input packets aren't increasing, then the customer gateway device isn't receiving the ARP requests from AWS. If input packets are increasing and output packets aren't increasing, then customer gateway isn't responding to ARP requests from the Direct Connect endpoint. If input and output packets are not incrementing, then there might be a VLAN mismatch or untagged frames being received from the connection.
• Check that the VLAN ID is installed in the database on the customer gateway device.
• Check that the immediate uplink to AWS is configured as a trunk. If the immediate uplink is trunk, then confirm that the correct VLAN is allowed over the trunk port.
  Note: Some network providers use Q-in-Q tagging. This might alter your tagged VLAN. VLAN translation might also change the VLAN tag, which results in the failure of ARP establishment.
• Check that the native VLAN isn't used by the customer gateway device or any intermediate devices.
• Check that MACsec isn't turned on for intermediate hops.
• Clear the ARP table and ARP cache on the customer gateway device.
• Run a debug for the ARP on the customer gateway device.
• Perform a packet capture on the immediate layer 2 device that uplinks to the Direct Connect endpoint. Check that the ARP broadcast MAC address FF:FF:FF:FF:FF:FF is sent to AWS with the correct 802.1Q encapsulation and VLAN tag.

Ping still fails after ARP is established

If ping still fails after layer 2 issues are resolved and the ARP is established, then complete the following tasks:

• Confirm that the source interface and correct IP address are being used for ping probes.
• Collect the debug for the ICMP traffic flow at the customer gateway device. Check if the ICMP packets are going out and if there are any responses or errors.
• Collect packet captures on the customer gateway device and intermediate devices at the customer network to see if any device is blocking the ICMP traffic.