Can't ping AWS-side of the tunnel from on-premise router

0

Simple setup: VPC with public and private subnets, VPG, S2S VPN connection with an on-prem router, static routing. Downloaded config for the router (Cisco ISR 1921) from the VPN Connection page and successfully applied it. Now I have 2 tunnels to the VPC. And I want to set up SLAs to track tunnels state and modify the ISR route table accordingly. Tunnel 1: 169.254.1.6/30 Tunnel 2: 169.254.2.6/30

ip sla 100
 icmp-echo 169.254.1.5 source-interface Tunnel1
 threshold 1000
 timeout 1000
 frequency 5
ip sla schedule 100 life forever start-time now
ip sla 200
 icmp-echo 169.254.2.5 source-interface Tunnel2
 threshold 1000
 timeout 1000
 frequency 5
ip sla schedule 200 life forever start-time now

but I got timeout for both SLAs.

Tried to ping AWS-end form the router manually with the same result:

chd-r0-c1921#show ip route 169.254.1.5
Routing entry for 169.254.1.4/30
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Tunnel1
      Route metric is 0, traffic share count is 1
chd-r0-c1921#
chd-r0-c1921#
chd-r0-c1921#ping 169.254.1.5 source Tunnel1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.1.5, timeout is 2 seconds:
Packet sent with a source address of 169.254.1.6
.....
Success rate is 0 percent (0/5)
chd-r0-c1921#
asked 2 years ago795 views
2 Answers
0

IP Addressing seems correct, are you able to confirm that the tunnels are indeed up? You should be able to ping them.

AWS
answered 2 years ago
0

Yes, both tunnels are working. I've added a static route to the config:

ip route 10.110.0.0 255.255.0.0 Tunnel2

and now can successfully communicate between on-prem VMs and AWS instances (both private and public segments). Also, I can change the route to Tunnel1, and it works too. But I need to set up SLAs to automatically switch between tunnels. Checked one more time just now. Still no ping:

chd-r0-c1921#ping 169.254.2.5 source tunnel 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.2.5, timeout is 2 seconds:
Packet sent with a source address of 169.254.2.6
.....
Success rate is 0 percent (0/5)
chd-r0-c1921#ping 10.110.110.96
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.110.110.96, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
chd-r0-c1921#ping 10.110.110.96 sour
chd-r0-c1921#ping 10.110.110.96 source vlan 41
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.110.110.96, timeout is 2 seconds:
Packet sent with a source address of 10.100.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/67/72 ms
chd-r0-c1921#

https://i.imgur.com/KnWQEo2.png

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions