A customer has decided to use DirectConnect(DX) and VPN.
So if DX failed, they want to fail over to VPN.
But it takes about 20~30 seconds.
What configuration does it effect to this long fail over time?
AWS VPN Configuration is below
config vpn ipsec phase1-interface
edit "transit-KR.P***"
set interface "Loopbk"
set local-gw 182.###.###.###
set keylife 28800
set proposal aes128-sha1
set dhgrp 2
set remote-gw 15.###.###.###
set psksecret .
set dpd-retryinterval 1
set dpd enable
set comments "aws-transit-****"
next
edit "transit-KR.****"
set interface "Loopbk"
set local-gw 182.###.###.###
set keylife 28800
set proposal aes128-sha1
set dhgrp 2
set remote-gw 52.###.###.###
set psksecret x
set dpd-retryinterval 1
set dpd enable
set comments "aws-transit-***"
next
end
config vpn ipsec phase2-interface
edit "transit-KR.####"
set phase1name "transit-KR.####"
set proposal aes128-sha1
set dhgrp 2
set keylifeseconds 3600
next
edit "transit-KR.****"
set phase1name "transit-KR.****"
set proposal aes128-sha1
set dhgrp 2
set keylifeseconds 3600
next
end
config system interface
edit "transit-KR.####"
set ip 169.###.###.### 255.255.255.255
set allowaccess ping
set tcp-mss 1387
set remote-ip 169.###.###.###
set description "aws-transit-****"
next
edit "transit-KR****"
set ip 169.###.###.### 255.255.255.255
set allowaccess ping
set tcp-mss 1387
set remote-ip 169.###.###.###
set description "aws-transit-****"
next
end
config router bgp
config neighbor
edit "169.###.###.###"
set remote-as 64514
set route-map-in aws-transitgw
set route-map-out non-transit
next
edit "169.###.###.###"
set remote-as 64514
set route-map-in aws-transitgw
set route-map-out non-transit
next
end
end
*****-FW-1 $ get router info bgp nei 169.###.###.### routes
BGP table version is 6042, local router ID is 182.###.###.###
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 10.80.64.0/18 169.###.###.### 100 0 64514 e
*> 10.80.120.0/24 169.###.###.### 100 0 64514 e
Total number of prefixes 2
DX bgp configuration is below
interface g3/7.30
description AWS_DX_vpc_test
logging event subif-link-status
no ip redirects
encapsulation dot1Q 30
ip address 172.16.1.57 255.255.255.252
bfd interval 100 min_rx 100 multiplier 3
ip as-path access-list 92 permit ^64513$
ip prefix-list ***-OUT-IPLIST seq 10 permit 10.56.0.0/13 le 32
ip prefix-list ***-OUT-IPLIST seq 20 permit 10.64.0.0/13 le 32
ip prefix-list ***-OUT-IPLIST seq 30 permit 10.28.0.0/14 le 32
ip prefix-list ***-OUT-IPLIST seq 40 permit 172.16.128.0/23 le 32
ip prefix-list ***-IN-IPLIST seq 10 permit 10.80.0.0/12 le 32
route-map AWS-KR-IN permit 10
match ip address prefix-list ***-IN-IPLIST
match as-path 92
set local-preference 100
set community 9710:1493
route-map ***-OUT permit 10
match ip address prefix-list ***-OUT-IPLIST
match as-path 1
set community none
router bgp 64710
neighbor 172.16.1.58 remote-as 64513
neighbor 172.16.1.58 password **********
neighbor 172.16.1.58 description AWS dx-transitgw test
neighbor 172.16.1.58 soft-reconfiguration inbound
neighbor 172.16.1.58 route-map ***-IN in
neighbor 172.16.1.58 route-map ***-OUT out
neighbor 172.16.1.58 fall-over bfd
VPN config is downloaded from AWS VPN Config.