Troubleshooting AWS Direct Connect
The following troubleshooting information can help you diagnose and fix issues with your AWS Direct Connect connection.
Contents
Troubleshooting layer 1 (physical) issues
If you or your network provider are having difficulty establishing physical connectivity to an AWS Direct Connect device, use the following steps to troubleshoot the issue.
-
Verify with the colocation provider that the cross connect is complete. Ask them or your network provider to provide you with a cross connect completion notice and compare the ports with those listed on your LOA-CFA.
-
Verify that your router or your provider's router is powered on and that the ports are activated.
-
Ensure that the routers are using the correct optical transceiver. Auto-negotiation for the port must be disabled if you have a connection with a port speed more than 1 Gbps. However, depending on the AWS Direct Connect endpoint serving your connection, auto-negotiation might need to be enabled or disabled for 1 Gbps connections. If auto-negotation needs to be disabled for your connections, port speed and full-duplex mode must be configured manually. If your virtual interface remains down, see Troubleshooting layer 2 (data link) issues.
-
Verify that the router is receiving an acceptable optical signal over the cross connect.
-
Try flipping (also known as rolling) the Tx/Rx fiber strands.
-
Check the Amazon CloudWatch metrics for AWS Direct Connect. You can verify the AWS Direct Connect device's Tx/Rx optical readings (both 1 Gbps and 10 Gbps), physical error count, and operational status. For more information, see Monitoring with Amazon CloudWatch.
-
Contact the colocation provider and request a written report for the Tx/Rx optical signal across the cross connect.
-
If the above steps do not resolve physical connectivity issues, contact AWS Support
and provide the cross connect completion notice and optical signal report from the colocation provider.
The following flow chart contains the steps to diagnose issues with the physical connection.
Troubleshooting layer 2 (data link) issues
If your AWS Direct Connect physical connection is up but your virtual interface is down, use the following steps to troubleshoot the issue.
-
If you cannot ping the Amazon peer IP address, verify that your peer IP address is configured correctly and in the correct VLAN. Ensure that the IP address is configured in the VLAN subinterface and not the physical interface (for example, GigabitEthernet0/0.123 instead of GigabitEthernet0/0).
-
Verify if the router has a MAC address entry from the AWS endpoint in your address resolution protocol (ARP) table.
-
Ensure that any intermediate devices between endpoints have VLAN trunking enabled for your 802.1Q VLAN tag. ARP cannot be established on the AWS side until AWS receives tagged traffic.
-
Clear your or your provider's ARP table cache.
-
If the above steps do not establish ARP or you still cannot ping the Amazon peer IP, contact AWS Support
.
The following flow chart contains the steps to diagnose issues with the data link.
If the BGP session is still not established after verifying these steps, see Troubleshooting layer 3/4 (Network/Transport) issues. If the BGP session is established but you are experiencing routing issues, see Troubleshooting routing issues.
Troubleshooting layer 3/4 (Network/Transport) issues
Consider a situation where your AWS Direct Connect physical connection is up and you can ping the Amazon peer IP address. If your virtual interface is up and the BGP peering session cannot be established, use the following steps to troubleshoot the issue:
-
Ensure that your BGP local Autonomous System Number (ASN) and Amazon's ASN are configured correctly.
-
Ensure that the peer IPs for both sides of the BGP peering session are configured correctly.
-
Ensure that your MD5 authentication key is configured and exactly matches the key in the downloaded router configuration file. Check that there are no extra spaces or characters.
-
Verify that you or your provider are not advertising more than 100 prefixes for private virtual interfaces or 1,000 prefixes for public virtual interfaces. These are hard limits and cannot be exceeded.
-
Ensure that there are no firewall or ACL rules that are blocking TCP port 179 or any high-numbered ephemeral TCP ports. These ports are necessary for BGP to establish a TCP connection between the peers.
-
Check your BGP logs for any errors or warning messages.
-
If the above steps do not establish the BGP peering session, contact AWS Support
.
The following flow chart contains the steps to diagnose issues with the BGP peering session.
If the BGP peering session is established but you are experiencing routing issues, see Troubleshooting routing issues.
Troubleshooting routing issues
Consider a situation where your virtual interface is up and you've established a BGP peering session. If you cannot route traffic over the virtual interface, use the following steps to troubleshoot the issue:
-
Ensure that you are advertising a route for your on-premises network prefix over the BGP session. For a private virtual interface, this can be a private or public network prefix. For a public virtual interface, this must be your publicly routable network prefix.
-
For a private virtual interface, ensure that your VPC security groups and network ACLs allow inbound and outbound traffic for your on-premises network prefix. For more information, see Security Groups and Network ACLs in the Amazon VPC User Guide.
-
For a private virtual interface, ensure that your VPC route tables have prefixes pointing to the virtual private gateway to which your private virtual interface is connected. For example, if you prefer to have all your traffic routed towards your on-premises network by default, you can add the default route (0.0.0.0/0 or ::/0) with the virtual private gateway as the target in your VPC route tables.
-
Alternatively, enable route propagation to automatically update routes in your route tables based on your dynamic BGP route advertisement. You can have up to 100 propagated routes per route table. This limit cannot be increased. For more information, see Enabling and Disabling Route Propagation in the Amazon VPC User Guide.
-
-
If the above steps do not resolve your routing issues, contact AWS Support
.
The following flow chart contains the steps to diagnose routing issues.