Unable to ping remote side of Cisco VTI tunnel or establish BGP session


I have set up two tunnels between AWS and a Cisco ASA using VTI and dynamic routing. The tunnel interfaces come up/up and the AWS console shows that IPSEC is UP. BGP debugging shows 'BGP: <AWS tunnel ip> open failed: Connection refused by remote host'. I'm unable to ping the AWS tunnel IPs. I can ping the AWS tunnel IPs on other ASAs connected to other VPCs. I've deleted the Site-to-Site tunnel and recreated it with the same results. Any ideas on how to resolve this?

asked 7 months ago310 views
1 Answer
  • Check the BGP configuration on your customer gateway device and make sure the IP addresses and Autonomous System Numbers (ASN) of the local and remote BGP peers must be configured with the downloaded VPN configuration file.
profile pictureAWS
answered 7 months ago
  • Yes, the ASNs and addresses are configured as they are shown in the downloaded config.

    • On the Cisco ASA, modify the traffic selector (encryption domain) to to both the local and remote CIDRs, and that will include the inside tunnel IP addresses 169.254.X.X
    • AWS is a route-based VPN and only supports a single security associations SA. When you modify the traffic selector to on the Cisco ASA this will make sure you have a single SA.
    • On the AWS side, make sure the "Local IPv4 network CIDR" and "Remote IPv4 network CIDR" are at their default, this config can be found by choosing the VPN and then "Modify VPN connection options".


You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions