Skip to content

Troubleshooting Amazon VPC site-to-site VPN connections

BGP peering doesn't automatically form

Condition

After creating a site-to-site VPN connection between your local network and Amazon VPC, BGP peering doesn't automatically form.

Sophos Firewall shows the following statuses:

  • AWS VPC Tunnel status is active and connected.
  • BGP summary shows neighbor status stuck in active.

AWS VPC console shows the following statuses:

  • AWS site-to-site VPN status is down.
  • AWS site-to-site VPN details show IPsec is up.

Cause

BGP CLI configuration includes no bgp default ipv4-unicast.

BGP CLI configuration includes no bgp default ipv4-unicast

What to do

You must update the BGP configuration and make the new Amazon VPC BGP neighbors active. Do the following:

  1. Sign in to the command line using SSH. You can also access it from admin > Console in the upper-right corner of the web admin console.
  2. Go to 3. Route Configuration > 1. Configure Unicast Routing > 3. Configure BGP.
  3. Enter the following commands:
    1. enable
    2. conf t
  4. Replace <as-number> with the Sophos Firewall Local AS number and enter the command as follows:

    router bgp <as-number>
    

    Tip

    You can find the Sophos Firewall Local AS number under Routing > BGP > Global configuration.

  5. Replace <ip-address> with the IP address of the AWS site-to-site VPN connection and enter the command as follows:

    neighbor <ip-address> activate
    
  6. Enter write to save the configuration.

Here's an example:

Update the BGP configuration