My BGP session cannot establish a connection or is in an idle state over my VPN tunnel. How can I troubleshoot this?
To troubleshoot BGP connection issues over VPN, check the following:
Check the underlying VPN connection
For BGP-based VPN connections, the BGP session can only be established if the VPN tunnel is up. If the VPN tunnel is down or flapping, you will experience issues with establishing the BGP session. Verify that the VPN is up and stable. If the VPN is not coming up or it is not stable, see the following:
- I can’t establish my VPN tunnel: Internet Key Exchange (IKE) is failing
- I can’t establish my VPN tunnel: IPsec is failing
- How do I troubleshoot VPN tunnel inactivity or instability issues for my network device?
Check the BGP configuration on your customer gateway device
- The IP addresses of the local and remote BGP peers must be configured with the downloaded VPN configuration file from the VPC console.
- The local and remote BGP Autonomous System Numbers (ASN) must be configured with the downloaded VPN configuration file from the VPC console.
- If the configuration settings are correct, ping the remote BGP peer IP from your local BGP peer IP to verify the connectivity between the BGP peers.
- Be sure that the BGP peers are directly connected to each other. External BGP (EBGP) multi-hop is disabled on AWS.
Note: If your BGP session is flapping between active and connect states, verify that TCP port 179 and other relevant ephemeral ports are not blocked.
Debugs and packet captures
If the BGP configuration on the customer gateway is verified and the pings between the BGP peer IPs are working, collect this information from the customer gateway device for further analysis:
- BGP and TCP debugs
- BGP logs
- Packet captures for traffic between the BGP peer IPs
Check if the BGP session is going from established to idle states
- For VPN, if you see the BGP session going from established to idle state, verify the number of routes that you are advertising over the BGP session. You can advertise up to 100 routes over the BGP session. If the number of routes advertised over the BGP session is more than 100, the BGP session will go to the idle state.
- If you have more than 100 networks in your on-premises network, you can advertise a default route over the BGP session to AWS.
- You can summarize the routes so that the number of advertised routes is less than 100.