Can propagate routes into AWS but don't receive updates back

rebelboy1988

Hi All,

Pretty new to pfSense and BGP, but I am looking to utilise this FW to connect an on-premise site to AWS Transit Gateway.

I have managed to setup an IKEV2 VPN (utilising VTI on P2) between Transit Gateway and pfSense and can propagate routes into AWS, however we are not receiving routes back from AWS.

I am pretty sure that this is likely to be related to my FRR Config:

##################### DO NOT EDIT THIS FILE! ######################
###################################################################
# This file was created by an automatic configuration generator.  #
# The contents of this file will be overwritten without warning!  #
###################################################################
!
frr defaults traditional
hostname XXXX
password XXXX
service integrated-vtysh-config
!
ip router-id 10.0.1.18
!
router bgp 64515
 bgp router-id 10.0.1.18
 no bgp network import-check
 no bgp ebgp-requires-policy
 neighbor 169.254.10.9 remote-as 64512
 neighbor 169.254.10.9 update-source 169.254.10.10
 neighbor 169.254.10.13 remote-as 64512
 neighbor 169.254.10.13 update-source 169.254.10.14
 !
 address-family ipv4 unicast
  network 10.0.0.0/16
  neighbor 169.254.10.9 activate
  neighbor 169.254.10.13 activate
  no neighbor 169.254.10.9 send-community
  neighbor 169.254.10.9 route-map allow-any-routemap-1 in
  neighbor 169.254.10.9 route-map allow-any-routemap-1 out
  no neighbor 169.254.10.13 send-community
  neighbor 169.254.10.13 route-map allow-any-routemap-2 in
  neighbor 169.254.10.13 route-map allow-any-routemap-2 out
 exit-address-family
 !
!
route-map allow-any-routemap-1 permit 100
route-map allow-any-routemap-2 permit 101
!
line vty
!
end

BGP Neighbor Summary:

BGP neighbor is 169.254.10.9, remote AS 64512, local AS 64515, external link
  BGP version 4, remote router ID 169.254.10.9, local router ID 10.0.1.18
  BGP state = Established, up for 03:26:56
  Last read 00:00:05, Last write 00:00:04
  Hold time is 30, keepalive interval is 10 seconds
  Neighbor capabilities:
    4 Byte AS: advertised and received
    AddPath:
      IPv4 Unicast: RX advertised IPv4 Unicast
    Route refresh: advertised and received(old & new)
    Address Family IPv4 Unicast: advertised and received
    Hostname Capability: advertised (name: XXXX,domain name: n/a) not received
    Graceful Restart Capability: advertised
  Graceful restart information:
    Local GR Mode: Helper*
    Remote GR Mode: Disable
    R bit: False
    Timers:
      Configured Restart Time(sec): 120
      Received Restart Time(sec): 0
  Message statistics:
    Inq depth is 0
    Outq depth is 0
                         Sent       Rcvd
    Opens:                  1          1
    Notifications:          0          0
    Updates:               11          1
    Keepalives:          1237       1243
    Route Refresh:          5          0
    Capability:             0          0
    Total:               1254       1245
  Minimum time between advertisement runs is 0 seconds
  Update source is 169.254.10.10

 For address family: IPv4 Unicast
  Update group 8, subgroup 4
  Packet Queue length 0
  Community attribute sent to this neighbor(large)
  Inbound path policy configured
  Outbound path policy configured
  Route map for incoming advertisements is *allow-any-routemap-1
  Route map for outgoing advertisements is *allow-any-routemap-1
  0 accepted prefixes

  Connections established 1; dropped 0
  Last reset 03:27:09,  No AFI/SAFI activated for peer
Local host: 169.254.10.10, Local port: 179
Foreign host: 169.254.10.9, Foreign port: 38055
Nexthop: 169.254.10.10
Nexthop global: fe80::1
Nexthop local: fe80::1
BGP connection: non shared network
BGP Connect Retry Timer in Seconds: 120
Estimated round trip time: 2 ms
Read thread: on  Write thread: on  FD used: 24

BGP neighbor is 169.254.10.13, remote AS 64512, local AS 64515, external link
  BGP version 4, remote router ID 169.254.10.13, local router ID 10.0.1.18
  BGP state = Established, up for 03:26:50
  Last read 00:00:08, Last write 00:00:07
  Hold time is 30, keepalive interval is 10 seconds
  Neighbor capabilities:
    4 Byte AS: advertised and received
    AddPath:
      IPv4 Unicast: RX advertised IPv4 Unicast
    Route refresh: advertised and received(old & new)
    Address Family IPv4 Unicast: advertised and received
    Hostname Capability: advertised (name: XXXX,domain name: n/a) not received
    Graceful Restart Capability: advertised
  Graceful restart information:
    Local GR Mode: Helper*
    Remote GR Mode: Disable
    R bit: False
    Timers:
      Configured Restart Time(sec): 120
      Received Restart Time(sec): 0
  Message statistics:
    Inq depth is 0
    Outq depth is 0
                         Sent       Rcvd
    Opens:                  1          1
    Notifications:          0          0
    Updates:               11          1
    Keepalives:          1236       1242
    Route Refresh:          6          0
    Capability:             0          0
    Total:               1254       1244
  Minimum time between advertisement runs is 0 seconds
  Update source is 169.254.10.14

 For address family: IPv4 Unicast
  Update group 9, subgroup 3
  Packet Queue length 0
  Community attribute sent to this neighbor(large)
  Inbound path policy configured
  Outbound path policy configured
  Route map for incoming advertisements is *allow-any-routemap-2
  Route map for outgoing advertisements is *allow-any-routemap-2
  0 accepted prefixes

  Connections established 1; dropped 0
  Last reset 03:27:09,  No AFI/SAFI activated for peer
Local host: 169.254.10.14, Local port: 179
Foreign host: 169.254.10.13, Foreign port: 38263
Nexthop: 169.254.10.14
Nexthop global: fe80::1
Nexthop local: fe80::1
BGP connection: non shared network
BGP Connect Retry Timer in Seconds: 120
Estimated round trip time: 3 ms
Read thread: on  Write thread: on  FD used: 25

Can anyone see see what the issue might be?

Thanks in advance! :)

Zawi

@rebelboy1988

seems AWS side does not send routes

michmoor

@rebelboy1988 I would remove the route-map from the neighbor command so you have no filter applied and then see if you are getting routes. If not then the problem is with the AWS peer.