How do I troubleshoot BGP connection issues over VPN?

Last updated: 2021-05-04

My BGP session can't establish a connection or is in an idle state over my VPN tunnel. How can I troubleshoot this?

Resolution

To troubleshoot BGP connection issues over VPN, check the following:

Check the underlying VPN connection

For BGP-based VPN connections, the BGP session can be established only if the VPN tunnel is up. If the VPN tunnel is down or flapping, you'll experience issues with establishing the BGP session. Verify that the VPN is up and stable. If the VPN is not coming up or it isn't stable, see the following:

Check the BGP configuration on your customer gateway device

  • The IP addresses of the local and remote BGP peers must be configured with the downloaded VPN configuration file from the VPC console.
  • The local and remote BGP Autonomous System Numbers (ASN) must be configured with the downloaded VPN configuration file from the VPC console.
  • If the configuration settings are correct, then ping the remote BGP peer IP from your local BGP peer IP to verify the connectivity between BGP peers.
  • Be sure that the BGP peers are directly connected to each other. External BGP (EBGP) multi-hop is disabled on AWS.

Note: If your BGP session is flapping between active and connect states, verify that TCP port 179 and other relevant ephemeral ports are not blocked.

Debugs and packet captures

If the BGP configuration on the customer gateway is verified and the pings between the BGP peer IPs are working, then collect this information from the customer gateway device for further analysis:

  • BGP and TCP debugs
  • BGP logs
  • Packet captures for traffic between the BGP peer IPs

Check if the BGP session is going from established to idle states

For VPN on a VGW, if you see the BGP session going from established to idle state, then verify the number of routes that you are advertising over the BGP session. You can advertise up to 100 routes over the BGP session. If the number of routes advertised over the BGP session is more than 100, then the BGP session goes to the idle state.

To resolve this, do one of the following:

Advertise a default route to route to AWS, or summarize the routes so that the number of routes received is fewer than 100.

-or-

You can migrate your VPN connection to a transit gateway as transit gateway supports 1,000 routes advertised from a customer gateway.

For more information, see Site-to-Site VPN quotas.