Unable to ping remote side of Cisco VTI tunnel or establish BGP session

I have set up two tunnels between AWS and a Cisco ASA using VTI and dynamic routing. The tunnel interfaces come up/up and the AWS console shows that IPSEC is UP. BGP debugging shows 'BGP: <AWS tunnel ip> open failed: Connection refused by remote host'. I'm unable to ping the AWS tunnel IPs. I can ping the AWS tunnel IPs on other ASAs connected to other VPCs. I've deleted the Site-to-Site tunnel and recreated it with the same results. Any ideas on how to resolve this?

주제

네트워킹 및 콘텐츠 전송

태그

아마존 VPC 네트워킹 및 콘텐츠 전송

언어

English

PWarren

질문됨 9달 전402회 조회

1개 답변

최신
최다 투표
가장 많은 댓글

이 답변이 도움이 되었나요?커뮤니티가 여러분의 지식을 활용할 수 있도록 정답을 찬성하세요.

Check the BGP configuration on your customer gateway device and make sure the IP addresses and Autonomous System Numbers (ASN) of the local and remote BGP peers must be configured with the downloaded VPN configuration file.

Matt_E

답변함 9달 전

PWarren
9달 전
Yes, the ASNs and addresses are configured as they are shown in the downloaded config.
Matt_E
9달 전

On the Cisco ASA, modify the traffic selector (encryption domain) to 0.0.0.0/0 to both the local and remote CIDRs, and that will include the inside tunnel IP addresses 169.254.X.X

AWS is a route-based VPN and only supports a single security associations SA. When you modify the traffic selector to 0.0.0.0/0 on the Cisco ASA this will make sure you have a single SA.

On the AWS side, make sure the "Local IPv4 network CIDR" and "Remote IPv4 network CIDR" are at their default 0.0.0.0/0, this config can be found by choosing the VPN and then "Modify VPN connection options".

https://repost.aws/knowledge-center/vpn-connection-instability

Unable to ping remote side of Cisco VTI tunnel or establish BGP session

관련 콘텐츠