cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
950
Views
0
Helpful
2
Replies

AWS Transit VPC: tunnels only created on one CSR

b-hayes
Level 1
Level 1

I've deployed the Transit VPC cloudformation template successfully, and I've built tunnels from each CSR back to my datacenter successfully.   When I tag a VGW  with 'transitvpc:spoke' value:'true',   I see two AWS VPN connections get created against that VGW.   I also see two tunnel interfaces get created on CSR 2, and configuration get added to BGP.  Those added tunnel interfaces go to up/up, and the AWS VPN show up.  However, I never establish BGP sessions across, and never get any routes in either direction.   Additionally, CSR 1 never gets any configuration applied.  

I've deleted and re-provisioned the stack several times and always get the same result.   I've even skipped creating the VPN back to my datacenter  and just tried the spoke VPC automation immediately after stack deployment, and I get the same result.   I've deployed from the CF template in the AWS marketplace, the template from github and the template from the cisco blog post about Transit VPC.   All yield the same result.    I'm deploying a BYOL stack, and the first thing I do after deploying is generate/install an eval license.

I've been tinkering with this for going on 5 days now, and about ready to write it off and move on to another product.   Any ideas what might be going on? 

CSR 1 config sample:
interface Tunnel1
description tunnel to Datacenter
ip address 172.18.0.105 255.255.255.252
ip tcp adjust-mss 1387
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination <IP OF DATACENTER>
tunnel protection ipsec profile Datacenter
ip virtual-reassembly
!
interface Tunnel100
description dummy tunnel interface to buffer AWS tunnels
no ip address
!
interface GigabitEthernet1
ip address dhcp
negotiation auto
!
router bgp 65172
bgp log-neighbor-changes
network 172.22.254.0 mask 255.255.255.240
neighbor 172.18.0.102 remote-as 65172
neighbor 172.18.0.106 remote-as 65172

CSR 2 config sample (note tunnels 101 and 102, plus added BGP configuration:
interface Tunnel1
description tunnel to Datacenter
ip address 172.18.0.109 255.255.255.252
ip tcp adjust-mss 1387
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination<IP OF DATACENTER>
tunnel protection ipsec profile Datacenter
ip virtual-reassembly
!
interface Tunnel100
description dummy tunnel interface to buffer AWS tunnels
no ip address
!
interface Tunnel101
ip vrf forwarding vpn-ed7a6b8c
ip address 169.254.47.18 255.255.255.252
ip tcp adjust-mss 1387
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination <Tunnel 1 IP>
tunnel protection ipsec profile ipsec-vpn-aws
ip virtual-reassembly
!
interface Tunnel102
ip vrf forwarding vpn-ed7a6b8c
ip address 169.254.45.174 255.255.255.252
ip tcp adjust-mss 1387
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination<Tunnel 2 IP>
tunnel protection ipsec profile ipsec-vpn-aws
ip virtual-reassembly
!
interface GigabitEthernet1
ip address dhcp
negotiation auto
!
router bgp 65172
bgp log-neighbor-changes
network 172.22.254.16 mask 255.255.255.240
neighbor 172.18.0.101 remote-as 65172
neighbor 172.18.0.110 remote-as 65030
!
address-family ipv4 vrf <VPN VRF ID>
neighbor 169.254.45.173 remote-as 7224
neighbor 169.254.45.173 timers 10 30 30
neighbor 169.254.45.173 activate
neighbor 169.254.45.173 as-override
neighbor 169.254.45.173 soft-reconfiguration inbound
neighbor 169.254.47.17 remote-as 7224
neighbor 169.254.47.17 timers 10 30 30
neighbor 169.254.47.17 activate
neighbor 169.254.47.17 as-override
neighbor 169.254.47.17 soft-reconfiguration inbound
exit-address-family

2 Replies 2

b-hayes
Level 1
Level 1

snippit from lambda run logs for CSR1:

What's the result for "show bgp all", you have to enable "route propagation" on VGW to let VGW advertise routes to spoke's VPC route table.