Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

S2S VPN connection not tunnel swap

0

Hi All

Doing pair of tunnel towarding remote end (Fortigate), where by this firewall public network is using BPG routing protocol,

I facing the issue as in

  1. when tunnel from original tunnel 1 swap to tunnel 2 , without my knowledge. I only know this when i looking at my transit gateway route table resource ID (it showing which exactly i connecting to which tunnel 2 outside IP)

When this happen, the status of both tunnel was showing green, and i not seem any changes form the last status change date.

How i overcome this , was need to manually replace the tunnel on tunnel 1 IP, this action will put tunnel 1 temporary in down mode, and viola, data able to traverse the tuennl 2.

This action, i gues sit was like "bounce the tunnel 1, please reroute to tunnel 2".

question a. is it when this happen, the tunnel outside IP showing the tunnel, and yet no failover happen? b. will the skip tunel replacement option checked, will prevent this happen? I not sure what this use for? c. how i can advice the fortigate to check? is it the route load sharng causing both link always up and causng this?

thanks

Noel

Topics
Networking & Content Delivery
Tags
AWS Virtual Private Network (VPN)AWS Transit Gateway
Language
English
asked a year ago240 views
1 Answer
0

Based on your description, it seems you're experiencing some unexpected behavior with your Site-to-Site VPN connection using AWS Transit Gateway. Let's address your questions:

a. When you observe the tunnel outside IP showing for a specific tunnel, but no failover occurs, it's possible that the BGP session is still established on the original tunnel, even though the Transit Gateway route table is showing a different tunnel. This can happen due to the way AWS manages redundancy in S2S VPN connections.

b. The "Skip tunnel replacement" option is not directly related to this issue. This option is typically used to prevent AWS from automatically replacing tunnels during maintenance or updates. It wouldn't prevent the behavior you're experiencing with tunnel swapping.

c. Regarding the Fortigate configuration, it's important to check a few things:

  1. Ensure that BGP is properly configured on both tunnels.
  2. Verify that the Fortigate is not load balancing between the two tunnels. While AWS supports equal-cost multi-path (ECMP) routing, not all customer gateways handle it correctly.
  3. Check the BGP timers and keep-alive settings on the Fortigate to ensure they match AWS recommendations.
  4. Review the Fortigate logs to see if there are any BGP session flaps or other issues that might be causing the unexpected tunnel swaps.

To address the issue:

  1. Consider adjusting BGP timers on both ends to be more sensitive to link failures.
  2. Implement proper monitoring on both AWS and Fortigate sides to detect and alert on tunnel status changes.
  3. If possible, configure your Fortigate to prefer one tunnel over the other (e.g., by manipulating BGP attributes) to maintain a more predictable routing behavior.

Remember that AWS VPN connections are designed for high availability, and some level of tunnel swapping is normal. However, if it's causing issues with your specific setup, you may need to fine-tune your configuration or consider alternative designs that provide more control over the routing behavior.

Sources
VPN S2S With Public VIF Enabled | AWS re:Post
Site 2 site VPN | AWS re:Post
Troubleshoot AWS Site-to-Site VPN connectivity with a Yamaha customer gateway device - AWS Site-to-Site VPN

answered a year ago
AWS
EXPERT
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content