<div dir="ltr">Just to confirm, you can see traffic coming from AWS but not going back? Or is it the other way around? Are you connecting to a VPC or using a public IPs for Internet facing resources like S3? Also, if you're using it for public accessibility over the DxC, are you using your own assigned IPs or are you part of the beta program where AWS assign you a /31 in 54.239.0.0?</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 23, 2015 at 3:49 PM, Andrew Cowan <span dir="ltr"><<a href="mailto:andycowan@gmail.com" target="_blank">andycowan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;font-size:14px;font-family:Calibri,sans-serif"><div><div style="color:rgb(0,0,0)">Hi Chris,</div><div style="color:rgb(0,0,0)"><br></div><div style="color:rgb(0,0,0)">Thanks for your suggestion. I checked the firewall and got the output below, I think this just means the firewall is disabled, so no problem there.</div><div style="color:rgb(0,0,0)"><br></div><div><p style="margin:0px;font-size:10px;font-family:Monaco">> show configuration firewall </p>
<p style="margin:0px;font-size:10px;font-family:Monaco">filter filter-jflow {</p>
<p style="margin:0px;font-size:10px;font-family:Monaco"> term 1 {</p>
<p style="margin:0px;font-size:10px;font-family:Monaco"> then {</p>
<p style="margin:0px;font-size:10px;font-family:Monaco"> sample;</p>
<p style="margin:0px;font-size:10px;font-family:Monaco"> accept;</p>
<p style="margin:0px;font-size:10px;font-family:Monaco"> }</p>
<p style="margin:0px;font-size:10px;font-family:Monaco"> }</p>
<p style="margin:0px;font-size:10px;font-family:Monaco">}</p></div><div style="color:rgb(0,0,0)"><br></div><div><p style="margin:0px;font-size:10px;font-family:Monaco">> show configuration firewall family inet </p>
<p style="margin:0px;font-size:10px;font-family:Monaco;min-height:14px"><br></p>
<p style="margin:0px;font-size:10px;font-family:Monaco">{primary:node0}</p></div><div style="color:rgb(0,0,0)"><br></div><div style="color:rgb(0,0,0)"><br></div><div style="color:rgb(0,0,0)">I did find a problem with the VLANing, the router was sending tagged traffic to a switch with the VLAN on the default. I can now ping the remote router (your suggestion for the routing instance was useful), last thing I’m looking at now is BGP.</div><div style="color:rgb(0,0,0)"><br></div><div style="color:rgb(0,0,0)">Cheers,</div><span class=""><div style="color:rgb(0,0,0)"><br></div><div style="color:rgb(0,0,0)"><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:Cambria"><font face="Helvetica-Light" size="1" color="#08254F" style="background-color:rgb(255,255,255)"><span style="font-size:11px">ANDY COWAN</span></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:Cambria"><font face="Helvetica-Light" size="1" color="#99989D" style="background-color:rgb(255,255,255)"><span style="font-size:11px"><a href="tel:%2B61%20430%20034%20642" value="+61430034642" target="_blank">+61 430 034 642</a> </span></font></p></div></span></div><div style="color:rgb(0,0,0)"><br></div><span style="color:rgb(0,0,0)"><div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt"><span style="font-weight:bold">From: </span> Chris Kawchuk <<a href="mailto:juniperdude@gmail.com" target="_blank">juniperdude@gmail.com</a>><br><span style="font-weight:bold">Date: </span> Friday, 23 January 2015 9:58 am<br><span style="font-weight:bold">To: </span> Andrew Cowan <<a href="mailto:andycowan@gmail.com" target="_blank">andycowan@gmail.com</a>><br><span style="font-weight:bold">Cc: </span> Skeeve Stevens <<a href="mailto:skeeve+ausnog@theispguy.com" target="_blank">skeeve+ausnog@theispguy.com</a>>, "<a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a>" <<a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a>><span class=""><br><span style="font-weight:bold">Subject: </span> Re: [AusNOG] AWS Direct Connect & Juniper<br></span></div><div><div class="h5"><div><br></div><div><div style="word-wrap:break-word"><font face="Calibri"><span style="font-size:15px">Check for a firewall filter on the egress of the interface, or a firewall filter applied to lo0.0 that's denying it/dropping it. (firewall family inet, interface unit x family inet filter input/output <x>, etc..)</span></font><div><font face="Calibri"><span style="font-size:15px"><br></span></font><div><font face="Calibri"><span style="font-size:15px">If the interface is in a VR, you'll need to ping <1.1.1.1> routing-instance <your-VR>; likewise if in a VR, your BGP configuration needs to be in the [routing-instance <vrf> protocols bgp ] stanza.</span></font></div><div><font face="Calibri"><span style="font-size:15px"><br></span></font></div><div><font face="Calibri"><span style="font-size:15px">JunOS "show arp" is always your friend, to see if you can at least L2-ARP for an address on that network. </span></font><span style="font-size:15px;font-family:Calibri">Posting relevant configlets/stanzas may also help.</span></div><div><font face="Calibri"><span style="font-size:15px"><br></span></font></div><div><font face="Calibri"><span style="font-size:15px">- Ck.</span></font></div><div><br><div><div>On 23/01/2015, at 9:24 AM, Andrew Cowan <<a href="mailto:andycowan@gmail.com" target="_blank">andycowan@gmail.com</a>> wrote:</div><br><blockquote type="cite"><div style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="background-color:rgb(255,255,255)"><font face="Calibri,sans-serif"><br>Layer 2 is up, we have done some port mirroring and can see the TCP SYN packets coming in on port 179, but the router isn’t sending anything back. It may be routing rather than BGP because we can’t ping either.</font></span></div></blockquote></div><br></div></div></div></div></div></div></span></div>
<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>