Failed to reach remote network when i changed to direct connect lag

wchan1 · ‎03-29-2022

I have 3 direct connect links. 2 of them bind into a port-channel to form LAG with AWS. Remain 1 has a l2tp tunnel on it and is working fine. the problem is, when i changed to LAG. i fail to reach x.x.x.x:50001(ip is pingable but tcp fail). i don't know the issue is bgp or l2tp or something else? i made a wireshark it seems i can't get syn reply from remote network. appreciate your help in advance.

Georg Pauwen · ‎03-29-2022

Hello,

so you can reach x.x.x.x:50001 through the L2TP ? Can you reach anything else when switching to the LAG, that is, is it only that specific port the LAG is not reaching ? It would also be interesting to know if any other of the dynamic/private ports (49152 through 65535) are blocked. If so, that could be an (AWS) security setting...

wchan1 · ‎03-30-2022

Thanks your reply. i don't think it is security setting coz 50001 can go through l2tp when i use existing one but fail when i change to other 2 links with direct connect LAG(however ip is pingable). Can i setup l2tp on top of Layer2 LAG?

Georg Pauwen · ‎03-30-2022

Hello,

you don't have any MACsec configured on the LAG by any chance ? Can you post a screenshot of the 'View Details' of the LAG ?

wchan1 · ‎03-30-2022

No in my side, not sure about remote side as i don't manage that.

Georg Pauwen · ‎03-30-2022

Hello,

do you have a diagram of the entire topology (your side and the remote side) ?

wchan1 · ‎03-31-2022

this is brief archi. On the other hand, my colleague said i can checkk the NAT. Did i set the NAT properly?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

interface GigabitEthernet1/0/2

.......
ip address a.a.a.a 255.255.255.0
ip nat outside
......

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ip nat inside source static b.b.b.b a.a.a.a route-map nat-to-ocg-v2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ip access-list extended 100
10 permit ip b.b.b.b 0.0.0.255 d.d.d.d 0.0.0.255
20 permit ip b.b.b.b 0.0.0.255 c.c.c.c 0.0.0.255
30 permit ip b.b.b.b 0.0.0.255 a.a.a.a 0.0.0.255

route-map nat-to-ocg-v2 permit 30
match ip address 100
set ip next-hop a.a.a.a

Georg Pauwen · ‎03-31-2022

Hello,

the NAT configuration looks good actually. You would have more problems if there were a NAT misconfiguration, as it seems to be just this one port. Can you get the configuration of the other side, or at least, can the other side see incoming traffic from that port at all ?

wchan1 · ‎03-31-2022

cannot get config of remote side, i checked with remote side, they can see traffic from that port only with old direct connect(fail when using LAG). Another thing is, remote side only accept packet from my g1/0/2. so i don't what happen between my direct connect and the g1/0/2

wchan1 · ‎04-03-2022

Is it possibly route redistribute issue as it contains bgp and static route?

Georg Pauwen · ‎04-04-2022

Hello,

just for clarity: is there ANY traffic at all being received at the remote end when connected through the LAG, or just not traffic from that one specific port ?

wchan1 · ‎04-04-2022

nothing to remote when connected with LAG. Thanks

Georg Pauwen · ‎04-04-2022

Hello,

that is a completely different problem then, which requires a different approach. Post the full configs of the devices you are in control of.

wchan1 · ‎04-04-2022

Hi, Georg

config here. mask ip due to confidentiality

wchan1 · ‎04-05-2022

looking forward to your advise. Thanks