Re: AWS Transit VPC with 3rd party VPN (to AWS), no traffic hop-through

Adam Leggett · ‎10-16-2017

Hi All - having a very weird issue that I cant get to the bottom of...

Using the AWS Transit VPC reference architecture, connected to one of our dev VPCs without issue. Now trying to stand-up secondary tunnels to a 3rd party provider (also using AWS VPN, but cannot use the lambda config for additional spokes as we have no access to their VPC config).

Tunnels to both endpoints are up, BGP route import/export seems to be working correctly between the VRFs, as both VRFs have installed and valid routes to each other. Traceroute from an instance on the Dev VRF side shows the traffic makes it to the transit router, then hops back and forth between the 2 tunnel IPs on the DEV VRF, rather than hopping through the other tunnel to the 3rdParty target IP.

Weird part - traffic test back the other way from 3rdParty to Dev is successful (3-hops)

Any Suggestions? Have slugged through a bunch of troubleshooting but cannot get traffic to move past the Transit Router...

ip vrf VRF3rdParty
rd 64252:2241
route-target export 64252:0
route-target import 64252:0
!
ip vrf VRFDEV
rd 64252:1
route-target export 64252:0
route-target import 64252:0
!
ip vrf vpn0
rd 64252:0
!
!
interface Tunnel1
ip vrf forwarding VRFDEV
ip address
ip tcp adjust-mss 1387
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination XXXX
tunnel protection ipsec profile ipsec-vpn-aws
ip virtual-reassembly
!
interface Tunnel2
ip vrf forwarding VRFDEV
ip address XXXX
ip tcp adjust-mss 1387
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination XXXX
tunnel protection ipsec profile ipsec-vpn-aws
ip virtual-reassembly
!
interface Tunnel24
ip vrf forwarding VRF3rdParty
ip address xxxxx
ip tcp adjust-mss 1379
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination xxxx
tunnel protection ipsec profile ipsec-vpn-aws
ip virtual-reassembly
!
interface Tunnel25
ip vrf forwarding VRF3rdParty
ip address xxxx
ip tcp adjust-mss 1379
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination xxxx
tunnel protection ipsec profile ipsec-vpn-aws
ip virtual-reassembly
!
interface VirtualPortGroup0
ip address 192.168.35.1 255.255.255.0
ip nat inside
no mop enabled
no mop sysid
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
router bgp 64252
bgp log-neighbor-changes
!
address-family ipv4 vrf VRF3rdParty
neighbor 169.254.xx.xx remote-as 7224
neighbor 169.254.xx.xx timers 10 30 30
neighbor 169.254.xx.xx activate
neighbor 169.254.xx.xx as-override
neighbor 169.254.xx.xx soft-reconfiguration inbound
neighbor 169.254.xx.xx remote-as 7224
neighbor 169.254.xx.xx timers 10 30 30
neighbor 169.254.xx.xx activate
neighbor 169.254.xx.xx next-hop-self
neighbor 169.254.xx.xx as-override
neighbor 169.254.xx.xx soft-reconfiguration inbound
exit-address-family
!
address-family ipv4 vrf VRFDEV
neighbor 169.254.xx.xx remote-as 7224
neighbor 169.254.xx.xx timers 10 30 30
neighbor 169.254.xx.xx activate
neighbor 169.254.xx.xx next-hop-self
neighbor 169.254.xx.xx as-override
neighbor 169.254.xx.xx soft-reconfiguration inbound
neighbor 169.254.xx.xx remote-as 7224
neighbor 169.254.xx.xx timers 10 30 30
neighbor 169.254.xx.xx activate
neighbor 169.254.xx.xx next-hop-self
neighbor 169.254.xx.xx as-override
neighbor 169.254.xx.xx soft-reconfiguration inbound
exit-address-family

Adam Leggett · ‎10-23-2017

Solved....interop issue between AWS Classic VPN & AWS Managed VPN when using a VPC, and leveraging the Transit VPC architecture. Looks like funky behavior with BGP, classic VPN had no advertised MED value so there was some mischief going on within the AWS BGP router on the VGW.

Fixed with a migration to full AWS Managed VPN.