AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

Unable to ping remote side of Cisco VTI tunnel or establish BGP session

I have set up two tunnels between AWS and a Cisco ASA using VTI and dynamic routing. The tunnel interfaces come up/up and the AWS console shows that IPSEC is UP. BGP debugging shows 'BGP: <AWS tunnel ip> open failed: Connection refused by remote host'. I'm unable to ping the AWS tunnel IPs. I can ping the AWS tunnel IPs on other ASAs connected to other VPCs. I've deleted the Site-to-Site tunnel and recreated it with the same results. Any ideas on how to resolve this?

Topics: Networking & Content Delivery
Tags: Amazon VPC Networking & Content Delivery
Language: English

PWarren

asked 2 years ago878 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Check the BGP configuration on your customer gateway device and make sure the IP addresses and Autonomous System Numbers (ASN) of the local and remote BGP peers must be configured with the downloaded VPN configuration file.

Matt_E

answered 2 years ago

PWarren
2 years ago
Yes, the ASNs and addresses are configured as they are shown in the downloaded config.
Matt_E
2 years ago

On the Cisco ASA, modify the traffic selector (encryption domain) to 0.0.0.0/0 to both the local and remote CIDRs, and that will include the inside tunnel IP addresses 169.254.X.X

AWS is a route-based VPN and only supports a single security associations SA. When you modify the traffic selector to 0.0.0.0/0 on the Cisco ASA this will make sure you have a single SA.

On the AWS side, make sure the "Local IPv4 network CIDR" and "Remote IPv4 network CIDR" are at their default 0.0.0.0/0, this config can be found by choosing the VPN and then "Modify VPN connection options".

https://repost.aws/knowledge-center/vpn-connection-instability

Relevant content

ASA VTI to VPC Transit Gateway dual active tunnels (non BGP)
Accepted Answer
johnnsmith
asked 6 years ago
AWS Transit Gateway with Cisco ASA Routing Issues
MJP
asked 5 years ago
Connect to multiple IPs on Cisco ASA through a single AWS VPN tunnel
YassineC
asked 2 years ago
Amazon Linux 2023 + Libreswan: iBGP over VTI interfaces fails - Unidirectional traffic issue
sivaneshl
asked 6 months ago
How do I use a dynamic BGP to create a VPN tunnel between AWS and Oracle Cloud Infrastructure?
AWS OFFICIALUpdated 3 years ago
How can I configure a dynamic routing based Site-to-Site VPN between AWS and Google Cloud Platform?
AWS OFFICIALUpdated 3 years ago
The VPN tunnel between my customer gateway and my virtual private gateway is Up, but I am unable to pass traffic through it. What can I do?
AWS OFFICIALUpdated 3 years ago
How do I troubleshoot BGP connection issues over VPN?
AWS OFFICIALUpdated a year ago
AWS Site-to-Site VPN Configuration Guide for Cisco Firepower firewalls
EXPERT
tapple (AWS)
published 4 months ago
Efficiently way to use a dynamic BGP to create a VPN tunnel between AWS and Oracle Cloud Infrastructure
EXPERT
Vinay Gugueoth
published 2 years ago

Unable to ping remote side of Cisco VTI tunnel or establish BGP session

Add your answer

Relevant content