Troubleshooting Amazon VPC site-to-site VPN connections
BGP peering doesn't automatically form
After creating a site-to-site VPN connection between your local network and Amazon VPC, BGP peering doesn't automatically form.
Sophos Firewall shows the following statuses:
- AWS VPC Tunnel status is active and connected.
- BGP summary shows neighbor status stuck in active.
AWS VPC console shows the following statuses:
- AWS site-to-site VPN status is down.
- AWS site-to-site VPN details show IPsec is up.
BGP CLI configuration includes
no bgp default ipv4-unicast.
What to do
You must update the BGP configuration and make the new Amazon VPC BGP neighbors active. Do the following:
- Sign in to the command line using SSH. You can also access it from admin > Console in the upper-right corner of the web admin console.
- Go to 3. Route Configuration > 1. Configure Unicast Routing > 3. Configure BGP.
- Enter the following commands:
<as-number>with the Sophos Firewall Local AS number and enter the command as follows:
router bgp <as-number>
You can find the Sophos Firewall Local AS number under Routing > BGP > Global configuration.
<ip-address>with the IP address of the AWS site-to-site VPN connection and enter the command as follows:
neighbor <ip-address> activate
writeto save the configuration.
Here's an example: