Re: multiple BGP path issue on AWS direct connect

satish.txt1 · ‎06-22-2018

Screen Shot 2018-06-11 at 9.29.17 PM.png

This is out current setup and everything working great!!! here, now i want backup link for AWS so i have request for one more secondary link and terminated on Cisco ASA on Port-channel1.8interface.

asa/pri/act# sh run int po1.8
!
interface Port-channel1.8
 description ### AWS-DX-2 ###
 vlan 8
 nameif aws_dx_2
 security-level 0
 ip address 169.254.8.1 255.255.255.248 standby 169.254.8.3

asa/pri/act# sh run int po1.9
!
interface Port-channel1.9
 description ### AWS-DX-1 ###
 vlan 9
 nameif aws_dx
 security-level 0
 ip address 169.254.9.1 255.255.255.248 standby 169.254.9.3

This is my BGP config

router bgp 65501
 bgp log-neighbor-changes
 timers bgp 10 30 0
 address-family ipv4 unicast
  neighbor 169.254.8.2 remote-as 7224
  neighbor 169.254.8.2 password *****
  neighbor 169.254.8.2 activate
  neighbor 169.254.9.2 remote-as 7224
  neighbor 169.254.9.2 password *****
  neighbor 169.254.9.2 activate
  network 10.10.0.0 mask 255.255.0.0
  network 10.20.0.0 mask 255.255.0.0
  network 10.30.0.0 mask 255.255.0.0
  distribute-list ACL-BGP-IN in
  no auto-summary
  no synchronization
 exit-address-family
!

So far so good till here in BGP summery

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
169.254.8.2     4         7224 76      61            15    0    0 00:10:49  4
169.254.9.2     4         7224 286     225           15    0    0 00:41:45  4

Now problem start here, from my LAN i can't ping AWS any instance.

If i go ahead and shutdown one of link then my LAN hosts can ping AWS instance, I am trying to create redendency here and somehow its not working, Did i miss something here?

As soon as i do following it works..

neighbor 169.254.8.2 shutdown

I heard we shouldn't use 169.254/16 in local-link, do you think that could be the issue here?

Reza Sharifi · ‎06-22-2018

I see 4 prefixes over both BGP connections. I have seen this before with 2 DXs or a DX and a VPN with AWS that cause a loop. Open a ticket with AWS and have them flush their tables. Also, Are the layer-2 switches above the firewall stacked?

HTH

satish.txt1 · ‎07-04-2018

Thanks Raze,

I have found something interesting, AS_PATH prepending not working one "169.254.8.2" peer but it does working on 169.254.9.2 peer, as soon as i put route-map prepending on "169.254.9.2" peer my failover started working..

Do you think AWS not honor prepending on one of peer?

multiple BGP path issue on AWS direct connect

Re: Understanding BGP Best Path Selection & Manipulation

Enhanced BGP Route Advertisement and AS Path Handling by Secure Access

AWS path certifications

BGP Path Selection - Oldest Path Criterion

AWS Tunnel with BGP