Direct Connect issues can be difficult to diagnose. The ideal approach is to use the OSI model to help isolate the potential issues and the underlying cause.
Layer 1 (physical) issues occur when you are having difficulty establishing physical connectivity to an AWS Direct Connect device. When a Direct Connect circuit is established, a cross-connect must be made between your port and the Direct Connect device. You can ask your colocation provider to validate that the cross-connect is properly established. You can also troubleshoot that all devices under your control are powered on and that the fiber-optic connection is properly connected.
Layer 2 (data link) issues occur when the physical connection is working properly, but the Direct Connect virtual interface (VIF) does not come up. These problems are typically the result of a misconfigured VLAN, improperly configured VLAN 802.1Q tagging, or ARP issues. Direct Connect is technically a Layer 2 offering. If Layer 2 is working properly, you can assume that any Layer 3 or Layer 4 issues are related to other configurations and not Direct Connect.
Layer 3 (network) and Layer 4 (transport) issues are routing related. Make sure that BGP is properly configured with the correct peer IPs and ASNs.
If you are establishing a new IPsec VPN, the first phase is Internet Key Exchange (IKE). If this phase fails, make sure that the customer gateway meets the AWS VPN requirements. IKEv1 and IKEv2 are supported, but other versions are not. Make sure that both ends of the VPN are configured with the correct preshared key.
Phase 2 is IPsec tunnel establishment. You can examine IPsec debug logs to isolate the exact cause of the phase 2 failure. You should verify that no firewalls are blocking Encapsulating Security Payload (ESP) protocol 50 or other IPsec traffic. Phase 2 should use the SHA-1 hashing algorithm and AES-128 as the encryption algorithm. If you are using policy-based routing (not BGP), make sure that you have properly identified the networks in both locations.
Phase 1 of VPN establishment is IKE and relies on supported hardware and a correct preshared key. Phase 2 of VPN establishment is the IPsec tunnel and relies on the correct hashing and encryption algorithms.
Answer this question. The answer follows the question. If you cannot answer the question correctly, consider reading this section again until you can.
1. Physical connectivity for a Direct Connect circuit has been successfully established, but the VIF does not come up. What are some possible causes? (Choose two.)
A. 802.1Q misconfiguration
B. Improper cross-connect
C. VLAN misconfiguration
D. Improper routing configuration
1. Answer: A and C are correct. Layer 2 issues are typically due to some sort of Layer 2 misconfiguration involving VLANs, 802.1Q trunks, or ARP.
If you want more practice on this chapter’s exam objectives before you move on, remember that you can access all of the Cram Quiz questions on the Pearson Test Prep software online. You can also create a custom exam by objective with the Online Practice Test. Note any objective you struggle with and go to that objective’s material in this chapter.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
