Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
How do I troubleshoot BGP connection issues over VPN?
My Border Gateway Protocol (BGP) session can't establish a connection or is in the Idle state over my virtual private network (VPN). I want to troubleshoot BGP connection issues.
Resolution
The following are common reasons for BGP connection failures and instabilities:
- The customer gateway device doesn't support dynamic routing.
- The VPN tunnel is down or flapping.
- BGP isn't configured correctly on the customer gateway device.
- A BGP session's status changes from Established to Idle because the number of routes that are advertised over the session exceeds its quota.
- An error on the customer gateway stops the connection.
Verify that the customer gateway supports dynamic routing
BGP is also known as dynamic routing. For more information, see Static and dynamic routing.
Make sure that your customer gateway device supports dynamic routing.
Important: It's a best practice to use dynamic routing instead of static routing. If the customer gateway device doesn't support dynamic routing, then configure your static VPN to avoid asymmetric routing.
Check the VPN's connection
A VPN tunnel's status must be UP to establish a BGP session. Verify that the VPN status is UP and the VPN is stable.
If the VPN isn't in the UP status and stable, then complete the following steps:
- Verify that Internet Key Exchange (IKE/phase 1) is functional.
- Verify that Internet Protocol security (IPsec/phase 2) is functional.
- Verify that the VPN tunnel is active and stable on the customer gateway device.
- If you use AWS Direct Connect, then troubleshoot BGP connection issues over Direct Connect.
- If the VPN connects to an Amazon Virtual Private Cloud (Amazon VPC), then troubleshoot VPN connectivity to an Amazon VPC.
Check the configuration on the customer gateway device
Note: If BGP isn't configured correctly on the customer gateway device, then it doesn't establish peer connectivity. For more information, see Example configuration files for your customer gateway device.
Download the VPN configuration file, and then complete the following steps on the customer gateway device:
-
Verify that the local and remote BGP peer IP addresses and Autonomous System Numbers (ASNs) are configured according to the file that you downloaded.
-
Ping the remote BGP peer IP address from the local BGP peer IP address:
ping example_IPNote: Replace example_IP with your remote IP address.
-
Verify that the BGP peers are directly connected to each other.
Important: AWS doesn't support External BGP (EBGP) multi-hop. -
If the BGP session flaps between Active and Connect states, then verify that TCP port 179 and other necessary ephemeral ports are open.
Verify the number of routes that are advertised over the session
Important: 100 is the maximum number of routes that a BGP session supports. If the number of routes exceeds the quota, then the BGP's status changes from Established to Idle. For more information, see Troubleshooting your customer gateway device.
On the customer gateway, verify that fewer than 100 routes are advertised over the BGP session. If the number of routes exceeds the quota, then take one of the following actions:
- Advertise a default route to AWS.
- Summarize the routes so that the number of routes received is less than 100.
- Migrate your VPN connection to a transit gateway.
Note: A transit gateway supports up to 1,000 routes.
Check for errors on the customer gateway device
If the previous actions don't restore the connection, then review the following logs for errors with timestamps that correspond with the connection failure:
- BGP and TCP debugs
- BGP error logs
- Packet captures for traffic between the BGP peer IP addresses
Related information
Site-to-Site VPN routing options
Using redundant Site-to-Site VPN connections to provide failover
Relevant content
- asked 3 years ago
- asked 2 years ago
