Troubleshoot BGP TTL security (GTSM) issues

If your BGP session with Direct Connect fails to establish, BGP TTL security on your router might be the cause. Direct Connect uses single-hop external BGP (eBGP) on virtual interfaces and sends BGP packets with an IP Time-to-Live (TTL) value of 1. Some routers support BGP TTL security, also known as the Generalized TTL Security Mechanism (GTSM). For more information about GTSM, see RFC 5082 on the Internet Engineering Task Force (IETF) website. When this feature is enabled (for example, with the neighbor ttl-security hops command), your router expects incoming BGP packets to arrive with a high TTL value. Your router discards the low-TTL packets that AWS sends.

BGP session remains in the Active or OpenSent state

Symptoms: The BGP session does not establish and remains in the Active or OpenSent state. This occurs even though a packet capture on your device shows the AWS BGP packets arriving on the interface.

Cause: BGP TTL security is configured on the BGP neighbor facing Direct Connect, causing your router to discard the BGP packets that AWS sends with a TTL of 1.

Resolution:

1. Remove the TTL security (GTSM) configuration from the BGP neighbor facing Direct Connect.

2. Verify that the BGP session state transitions to Established.

Direct Connect uses single-hop eBGP and does not support multihop eBGP on virtual interfaces by default. The single-hop protection that GTSM provides is already inherent in this peering.

Note

Use this guidance for the BGP session on an Direct Connect virtual interface. BGP peering to a transit gateway over a transit virtual interface uses multihop BGP and is configured differently.

If the BGP session does not establish after you remove the TTL security configuration, contact AWS Support.