How can we shorten failover time DX and VPN?
0
A customer has decided to use DirectConnect(DX) and VPN. So if DX failed, they want to fail over to VPN.
But it takes about 20~30 seconds. What configuration does it effect to this long fail over time?
AWS VPN Configuration is below
config vpn ipsec phase1-interface
edit "transit-KR.P***"
set interface "Loopbk"
set local-gw 182.###.###.###
set keylife 28800
set proposal aes128-sha1
set dhgrp 2
set remote-gw 15.###.###.###
set psksecret .
set dpd-retryinterval 1
set dpd enable
set comments "aws-transit-****"
next
edit "transit-KR.****"
set interface "Loopbk"
set local-gw 182.###.###.###
set keylife 28800
set proposal aes128-sha1
set dhgrp 2
set remote-gw 52.###.###.###
set psksecret x
set dpd-retryinterval 1
set dpd enable
set comments "aws-transit-***"
next
end
config vpn ipsec phase2-interface
edit "transit-KR.####"
set phase1name "transit-KR.####"
set proposal aes128-sha1
set dhgrp 2
set keylifeseconds 3600
next
edit "transit-KR.****"
set phase1name "transit-KR.****"
set proposal aes128-sha1
set dhgrp 2
set keylifeseconds 3600
next
end
config system interface
edit "transit-KR.####"
set ip 169.###.###.### 255.255.255.255
set allowaccess ping
set tcp-mss 1387
set remote-ip 169.###.###.###
set description "aws-transit-****"
next
edit "transit-KR****"
set ip 169.###.###.### 255.255.255.255
set allowaccess ping
set tcp-mss 1387
set remote-ip 169.###.###.###
set description "aws-transit-****"
next
end
config router bgp
config neighbor
edit "169.###.###.###"
set remote-as 64514
set route-map-in aws-transitgw
set route-map-out non-transit
next
edit "169.###.###.###"
set remote-as 64514
set route-map-in aws-transitgw
set route-map-out non-transit
next
end
end
*****-FW-1 $ get router info bgp nei 169.###.###.### routes
BGP table version is 6042, local router ID is 182.###.###.###
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 10.80.64.0/18 169.###.###.### 100 0 64514 e
*> 10.80.120.0/24 169.###.###.### 100 0 64514 e
Total number of prefixes 2
DX bgp configuration is below
interface g3/7.30
description AWS_DX_vpc_test
logging event subif-link-status
no ip redirects
encapsulation dot1Q 30
ip address 172.16.1.57 255.255.255.252
bfd interval 100 min_rx 100 multiplier 3
ip as-path access-list 92 permit ^64513$
ip prefix-list ***-OUT-IPLIST seq 10 permit 10.56.0.0/13 le 32
ip prefix-list ***-OUT-IPLIST seq 20 permit 10.64.0.0/13 le 32
ip prefix-list ***-OUT-IPLIST seq 30 permit 10.28.0.0/14 le 32
ip prefix-list ***-OUT-IPLIST seq 40 permit 172.16.128.0/23 le 32
ip prefix-list ***-IN-IPLIST seq 10 permit 10.80.0.0/12 le 32
route-map AWS-KR-IN permit 10
match ip address prefix-list ***-IN-IPLIST
match as-path 92
set local-preference 100
set community 9710:1493
route-map ***-OUT permit 10
match ip address prefix-list ***-OUT-IPLIST
match as-path 1
set community none
router bgp 64710
neighbor 172.16.1.58 remote-as 64513
neighbor 172.16.1.58 password **********
neighbor 172.16.1.58 description AWS dx-transitgw test
neighbor 172.16.1.58 soft-reconfiguration inbound
neighbor 172.16.1.58 route-map ***-IN in
neighbor 172.16.1.58 route-map ***-OUT out
neighbor 172.16.1.58 fall-over bfd
VPN config is downloaded from AWS VPN Config.
asked 4 years ago800 views
1 Answer
- Newest
- Most votes
- Most comments
0
The failover times that you are seeing are within acceptable range. BFD will not provide sub-millisecond failover between VPN and DX connection. BFD will provide quick failover between DX connections.
AWS VPN doesn't implement BFDs. Best practice is to have BGP based VPN connections. Internally, it will take few seconds for routes to converge and failover from DX to VPN and vice-versa.
answered 4 years ago
Relevant content
- Accepted Answerasked 4 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
