- Newest
- Most votes
- Most comments
From the logs, it's clear that the BGP peers aren't agreeing on the BGP capability that is negotiated during BGP Open Message, particularly the sub-AFI.
Can you check at the CGW what the AFI/Sub-AFI family is? It should be Unicast-IPv4 and this is defined under the BGP process at your CGW.
You can share the output of the command: show run | se router bgp
That's great, as for your question on why you don't see a response when you telnet to AWS endpoint on port 179. Remember we use TCP MD5 Signature to encrypt the BGP session and as such, when you try to send a telnet on port 179, the TCP SYN packet doesn't have the MD5 option, and based on TCP protocol rules, it won't respond nor send a TCP RST simply to as a protection mechanism, therefore, you feel the far end isn't responsive. I hope that answers your question.
Thanks mml for the explanation, that cleared my doubts. Cheers!
Hi, can you post the output of the command "show logs" on your CGW? Also can you run packets capture to see what's happening? You can do so in ASR platform by running these commands: monitor capture capture-name interface interface-name both monitor capture capture-name start ###keep it running for a couple of minutes and then run: monitor capture capture-name stop monitor capture capture-name export file-location/file-name
*Dec 26 04:21:04.042: %BGP-5-ADJCHANGE: neighbor 169.254.254.25 active Down AFI/SAFI not supported *Dec 26 04:21:16.330: %BGP_SESSION-5-ADJCHANGE: neighbor 169.254.254.25 NSAP Unicast topology base removed from session Capability changed *Dec 26 04:21:16.330: %BGP-3-NOTIFICATION: received from neighbor 169.254.254.25 active 2/7 (unsupported/disjoint capability) *Dec 26 04:21:16.330: %BGP-5-NBR_RESET: Neighbor 169.254.254.25 active reset (BGP Notification received) *Dec 26 04:21:16.334: %BGP-5-ADJCHANGE: neighbor 169.254.254.25 active Down AFI/SAFI not supported
Hello,
Check if the DX connection is UP or not. Post that, check if the DX-VIF is in available state.
Once verified, there must be connectivity between the BGP peer IPs on both your end and the AWS end. Basically, the TCP connection is not getting established in this case.
Check and verify the configuration on your Direct Connect router The IP addresses of the local and remote BGP peers, local and remote BGP Autonomous System Numbers (ASN), and the BGP MD5 password must be configured with the downloaded Direct Connect configuration file from the Direct Connect console. Verify that the Direct Connect router or any other device is not blocking ingress or egress from TCP port 179 and other appropriate ephemeral ports. BGP peers can't be more than one hop away from each other because external BGP (EBGP) multi-hop is disabled on the AWS end.
If this does not help, to get the connection checked internally, you might have to open up a case with the Direct connect team using your account and support plan.
Hope this helps !!
It seems that these parameters that you mentioned are not related to the issue as we verified them.
Relevant content
AWS OFFICIALUpdated 5 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
Thanks mml, that solved the issue. We had the wrong address family configured (VPN4). We changed it to unicast IPV4 as you said and BGP is up now.