Unable to ping remote side of Cisco VTI tunnel or establish BGP session

I have set up two tunnels between AWS and a Cisco ASA using VTI and dynamic routing. The tunnel interfaces come up/up and the AWS console shows that IPSEC is UP. BGP debugging shows 'BGP: <AWS tunnel ip> open failed: Connection refused by remote host'. I'm unable to ping the AWS tunnel IPs. I can ping the AWS tunnel IPs on other ASAs connected to other VPCs. I've deleted the Site-to-Site tunnel and recreated it with the same results. Any ideas on how to resolve this?

Topics

Networking & Content Delivery

Tags

Amazon VPC Networking & Content Delivery

Language

English

PWarren

asked 9 months ago383 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Check the BGP configuration on your customer gateway device and make sure the IP addresses and Autonomous System Numbers (ASN) of the local and remote BGP peers must be configured with the downloaded VPN configuration file.

Matt_E

answered 9 months ago

PWarren
9 months ago
Yes, the ASNs and addresses are configured as they are shown in the downloaded config.
Matt_E
9 months ago

On the Cisco ASA, modify the traffic selector (encryption domain) to 0.0.0.0/0 to both the local and remote CIDRs, and that will include the inside tunnel IP addresses 169.254.X.X

AWS is a route-based VPN and only supports a single security associations SA. When you modify the traffic selector to 0.0.0.0/0 on the Cisco ASA this will make sure you have a single SA.

On the AWS side, make sure the "Local IPv4 network CIDR" and "Remote IPv4 network CIDR" are at their default 0.0.0.0/0, this config can be found by choosing the VPN and then "Modify VPN connection options".

https://repost.aws/knowledge-center/vpn-connection-instability

Relevant content

Connect to multiple IPs on Cisco ASA through a single AWS VPN tunnel
YassineC
asked 4 months ago
ASA VTI to VPC Transit Gateway dual active tunnels (non BGP)
Accepted Answer
johnnsmith
asked 4 years ago
AWS Transit Gateway with Cisco ASA Routing Issues
MJP
asked 3 years ago
VPN Tunnel Instability Between AWS and On-Premise Cisco FTD Firewall
nmos
asked 4 months ago
How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?
AWS OFFICIALUpdated 2 years ago
How do I use a dynamic BGP to create a VPN tunnel between AWS and Oracle Cloud Infrastructure?
AWS OFFICIALUpdated a year ago
The VPN tunnel between my customer gateway and my virtual private gateway is Up, but I am unable to pass traffic through it. What can I do?
AWS OFFICIALUpdated 2 years ago
How do I check the current status of my VPN tunnel?
AWS OFFICIALUpdated 2 years ago
Efficiently way to use a dynamic BGP to create a VPN tunnel between AWS and Oracle Cloud Infrastructure
EXPERT
Vinay Gugueoth
published 6 months ago
Configuration of a dynamic routing based Site-to-Site VPN between AWS Cloud and Google Cloud Platform
EXPERT
Vinay Gugueoth
published 6 months ago