By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Data Loss in Site to Site BGP Tunnel 1

0

Why do I get packet loss when my customer ping the Tunnel 1 of my Site to Site VPN with BGP , but when he does a ping to the Tunnel 2 there is no packet Loss.But both Tunnels are Up also. Can anyone help me resolve this?

  • LondonX
    7 months ago

    Are you pinging the AWS public endpoint (public IP) that was generated as part of your VPN config, and that is what is dropping packets on tunnel 1?

Topics
Networking & Content Delivery
Tags
Amazon VPCNetworking & Content DeliveryAWS Virtual Private Network (VPN)
Language
English
Kpododo
asked 7 months ago282 views
2 Answers
0
Accepted Answer

If the ping works when you bring down one of the VPN tunnels (as you described in one of your replies), then the problem is likely related to what is called asymmetric routing. If briefly, it happens when your packets enter VPN Tunnel 1 on AWS side but exit VPN Tunnel 2 on AWS side, in which case your Customer Gateway (CGW) "sees" a ping reply coming from Tunnel 2 when there was no ping request sent through Tunnel 2. Some CGWs may drop such traffic depending on their configuration and capabilities. This behaviour is described in that article. It also has step-by-step instructions on how to check in CloudWatch if your traffic is routed asymmetrically.

When you turn one of the tunnels down, the CGW "sees" ping requests and replies exiting and entering the same tunnel, in which case the CGW may allow that traffic through depending on its configuration.

The first article is provided only to better describe the concept of asymmetric routing and how to check it in CloudWatch. The concept is the same for static and dynamic VPN. Because the first article is about static VPN, here is another article that talks about dynamic VPN. It describes how to configure a CGW to make AWS VPN endpoint(s) "prefer" a certain VPN tunnel when sending traffic from AWS to the CGW.

In summary, to avoid problems related to asymmetric routing, you can either configure your CGW to allow certain "reply" traffic through a tunnel where the CGW didn't "see" any "request” traffic; or you can make AWS VPN endpoint(s) "prefer" a certain tunnel when forwarding traffic to the CGW (as described in the second article) and at the same time make your CGW use the same tunnel to send traffic to AWS.

AWS
Max
answered 7 months ago
0

Hi,

Maybe you can review your current config based on this article to detect any discrepancy in your configuration?

See https://totaluptime.com/kb/creating-active-active-vpn-tunnel-aws-bgp/

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 7 months ago
  • Kpododo
    7 months ago

    Yeah I have done that, earlier we were unable to ping so he had to disable NAT on the premise site, after doing that when all the tunnels are up we cannot ping each other, but when we down the Tunnel 1 and leave the Tunnel 2 to be up we dont get any data/packet loss

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content