How do I troubleshoot BGP connection issues over VPN?

3 minute read
0

My Border Gateway Protocol (BGP) session can't establish a connection or is in an idle state over my virtual private network (VPN). How can I troubleshoot this?

Resolution

To troubleshoot BGP connection issues over VPN, check the following:

Check the underlying VPN connection

For BGP-based VPN connections, the BGP session can be established only if the VPN tunnel is UP. If the VPN tunnel is down or flapping, then you experience issues when establishing the BGP session. Verify that the VPN is UP and stable. If the VPN isn't coming up or it isn't stable, see the following:

Check the BGP configuration on your customer gateway device

  • The local and remote BGP peer IP addresses must be configured with the downloaded VPN configuration file from the Amazon Virtual Private Cloud (Amazon VPC) console.
  • The local and remote BGP Autonomous System Numbers (ASN) must be configured with the downloaded VPN configuration file from the Amazon VPC console.
  • If the configuration settings are correct, then ping the remote BGP peer IP address from your local BGP peer IP address. This verifies the connectivity between BGP peers.
  • Be sure that the BGP peers are directly connected to each other. External BGP (EBGP) multi-hop is turned off on AWS.

Note: If your BGP session is flapping between active and connect states, then verify that TCP port 179 and other relevant ephemeral ports are not blocked.

Note debugs and packet captures

After verifying BGP configuration and BGP peer connectivity, note the following information from the customer gateway device for further troubleshooting:

  • BGP and TCP debugs
  • BGP logs
  • Packet captures for traffic between the BGP peer IP addresses.

Check if the BGP session is going from established to idle states

For VPN on a virtual gateway, you might see the BGP session going from established to idle state. Verify the number of routes that you're advertising over the BGP session. You can advertise up to 100 routes over the BGP session. If the number of routes advertised over the BGP session is more than 100, then the BGP session goes to the idle state.

To resolve this, do one of the following:

Advertise a default route to route to AWS, or summarize the routes so that the number of routes received is fewer than 100.

-or-

Migrate your VPN connection to a transit gateway. Transit gateway supports 1,000 routes advertised from a customer gateway.

For more information, see Site-to-Site VPN quotas.

Related information

How can I troubleshoot BGP connection issues over Direct Connect?

Amazon VPC FAQs

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago