Azure VPN to AWS connected but no BGP peers established and no data flow

Question

We are trying to establish an active-active, BGP enabled site-to-site VPN from Azure to AWS.
We manage the Azure side, and a vendor manages the AWS side.
Connection status shows as connected, but no BGP peers are connecting.
Data out = many kB, but data in = 0 kB.
VPN logs show that Azure instance0 connects to AWS tunnel1, but instance1 fails to connect to tunnel1 with error 13805 - Negotiation timed out.
This pattern is repeated many times, but no BGP peers are ever established.
I have reset connections, and reset the VPN many times, but still no success.

Is there some configuration setting that is missing or incorrect?

Configuration details
AWS
tunnel1
OutsideIP = 13.54.x.x
Inside IPv4 = 169.254.21.0/30

tunnel2
OutsideIP = 13.55.y.y
Inside IPv4 = 169.254.22.0/30

Azure
SKU = VpnGw2
Generation2
VPN type = Route based
Active-active mode = Enabled
BGP = Enabled
Custom BGP IP address = 169.254.21.2
Second Custom BGP IP address = 169.254.22.2

Local Network Gateway1
IP address = 13.54.x.x
BGP peer IP address = 169.254.21.1

Local Network Gateway2
IP address = 13.55.y.y
BGP peer IP address = 169.254.22.1

Connection1
IKE Protocol = IKEv2
Primary Custom BGP Address = 169.254.21.2
Secondary Custom BGP Address = 169.254.22.2
IPSec/IKE Policy = Custom
IKE Phase1
Encryption = AES256
Integrity = SHA256
DH Group = DHGroup24
IKE Phase2
IPSec Encryption = AES256
IPSec INtegrity = SHA256
PFS Group = PFS24
Connection Mode = Default

Connection2
IKE Protocol = IKEv2
Primary Custom BGP Address = 169.254.21.2
Secondary Custom BGP Address = 169.254.22.2
IPSec/IKE Policy = Custom
IKE Phase1
Encryption = AES256
Integrity = SHA256
DH Group = DHGroup24
IKE Phase2
IPSec Encryption = AES256
IPSec INtegrity = SHA256
PFS Group = PFS24
Connection Mode = Default

Any suggestions would be appreciated.

Thanks
Mark

Answer 1

Hello @Mark Murray ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are trying to establish an active-active, BGP enabled site-to-site VPN connection from Azure to AWS and the connection status shows as connected, but no BGP peers are connecting.

We have a document which walks through the setup of a BGP-enabled connection between Azure and Amazon Web Services (AWS). Please refer the below doc for more information on the configuration:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-aws-bgp

Per the document,

• A site-to-site connection on AWS has two tunnels, each with their own outside IP address and inside IPv4 CIDR (used for BGP APIPA). An active-passive VPN gateway only supports one custom BGP APIPA. You'll need to enable active-active on your Azure VPN gateway to connect to multiple AWS tunnels.
• On the AWS side, you'll create a customer gateway and site-to-site connection for each of the two Azure VPN gateway instances (total of four outgoing tunnels). In Azure, you'll need to create four local network gateways and four connections to receive these four AWS tunnels.

Hence, I would request you to go through the above tutorial and re-configure your setup to match the requirements.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi,

this has been solved.

This article describes a configuration that suits our requirements.
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

The key features of the final solution are:
Active-active mode: disabled
BGP: disabled

This allows us to connect from Azure with one public IP address to AWS with two tunnels.

Logs are still verbose, but the connection seems to be established and operates correctly (at least with some test API calls).

I Hope this helps some others to solve similar VPN issues.

Thanks
Mark