Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I troubleshoot Transit Gateway connectivity issues with third-party virtual appliances running in a VPC?

5 minute read
0

I’ve configured an AWS Transit Gateway Connect attachment between AWS Transit Gateway and my Software-Defined Wide Area Network (SD-WAN) appliances in my virtual private cloud (VPC). However, I can’t connect my remote network from the VPC over the Transit Gateway Connect attachment.

Resolution

Check Transit Gateway and Connect attachment configuration

  1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
  2. In the navigation pane, choose Transit gateway attachments.
  3. Select the source VPC attachment that must communicate with remote or on-premises hosts. Verify that the attachment is associated with the correct transit gateway ID.
  4. Repeat step 3 for the Connect attachment, which establishes connection between Transit Gateway and the third-party virtual appliance running in your VPC.
  5. Repeat step 3 for the transport VPC attachment, which establishes the Generic Routing Encapsulation (GRE) connection between Transit Gateway and your SD-WAN.
  6. In the navigation pane, choose Transit Gateway Route Tables. Then, select the route table for each attachment.
  7. Verify that the source and SD-WAN VPCs are attached to a transit gateway in the same or different AWS Region.
  8. Verify that the source and SD-WAN VPC attachments are associated with the correct route table.
  9. Verify that source CIDR blocks and Border Gateway Protocol (BGP) routes propagate to the associated route tables.
  10. Verify that the Connect attachment is attached to correct transit gateway.
  11. Verify that the Connect attachment uses the correct VPC transport attachment for the SD-WAN appliance and the status is Available.

Check Connect peers configuration

  1. Open the Amazon VPC console.
  2. Choose Transit gateway attachments.
  3. Select the Connect attachment.
  4. Choose Connect Peers.
  5. Verify that the transit gateway GRE address matches the private IP address of the SD-WAN appliance for the GRE tunnel.
  6. Verify that the transit gateway GRE address matches an available IP address from the transit gateway CIDR block.
  7. Verify that the BGP inside the IP addresses belong to a /29 CIDR block from the 169.254.0.0/16 range for IPv4. You can specify a /125 CIDR block from the fd00::/8 range for IPv6. For more information, see Connect peers.

Note: The BGP peer Autonomous System Number (ASN) is optional. If you don't specify a peer ASN, then Transit Gateway assigns its ASN.

Check third-party appliance configuration

  1. Verify that your third-party appliance configuration meets all requirements and considerations.
  2. If your appliance has more than one interface, then make sure that operating system (OS) routing is configured to send GRE packets through the correct interface.
  3. Configure security groups and network access control lists (ACLs) to allow GRE protocol traffic (port 47) from the transit gateway CIDR block.

Check Availability Zone configuration

  1. Open the Amazon VPC console.
  2. Choose Subnets.
  3. Select the subnets for the VPC attachment and SD-WAN appliance.
  4. Verify that both subnets have the same Availability Zone ID. For more information, see AWS Availability Zones.

Check route tables and routing

  1. Open the Amazon VPC console.
  2. Choose Route tables.
  3. Select the route table for the source instance.
  4. Choose the Routes tab.
  5. Verify that the route has the correct destination CIDR block and transit gateway ID as its target.
  6. For the source instance, confirm that the remote network CIDR is the destination CIDR block.
  7. For the SD-WAN appliance, confirm that the transit gateway CIDR is the destination CIDR block.

Check transit gateway route table configuration

  1. Open the Amazon VPC console.
  2. Choose Transit gateway route tables.
  3. Verify that the route table that's associated with the source VPC attachment has a route propagating from the Connect attachment for the remote network.
  4. Verify that the route table that's associated with the Connect attachment has a route for the source VPC and SD-WAN appliance VPC.
  5. Confirm that route propagation is enabled in the route tables for both the Connect attachment and source VPC attachment.
  6. For interior BGP (iBGP) peers, verify that routes originate from an exterior BGP (eBGP) peer. Make sure that the routes advertised from the appliance to the transit gateway doesn't exceed the 1,000 route quota.

Verify that network ACLs allow traffic

  1. Open the Amazon VPC console.
  2. Choose Subnets.
  3. Select the subnets for the VPC attachment and SD-WAN appliance.
  4. Choose the Network ACL tab.
  5. Verify that the network ACL for the SD-WAN appliance allows GRE traffic.
  6. Verify that the network ACL for the source instance allows traffic.
  7. Verify that the network ACL that's associated with the transit gateway network interface allows traffic.

Verify that security groups allow traffic

  1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
  2. In the navigation pane, choose Instances.
  3. Select the source instance and SD-WAN appliance.
  4. Choose the Security tab.
  5. Verify that the security group for the SD-WAN appliance allows inbound GRE connections.
  6. Verify that the security group for the SD-WAN appliance allows outbound GRE sessions.
  7. Verify that the security group for the source instance allows traffic.
Topics
Networking & Content Delivery
Tags
AWS Transit Gateway
Language
English
AWS OFFICIALUpdated 6 months ago
No comments

Relevant content