Skip to main content
indersharma7
indersharma7
New Member
March 9, 2026
Solved

Routing issue with AWS Direct Connect (MPLS) and Site-to-Site VPN

  • March 9, 2026
  • 2 replies
  • 277 views

Diagram.jpg

 

Dear expert,

i am seeking your guidance and assistance to fix the routing problem.

 

Recently we got direct-connect ( MPLS) link to connect AWS EC2 from on-prem data center. not configured yet.

 

apart from that site-to-site IPsec VPN tunnel also established with AWS and working fine.

 

All BGP handling is taken care by ISP with regards to direct-connect.

 

The issue is

outgoing data from local lan ( port 9) is not going to AWS through port 4 (10.18.152.4/24).

 

working 

From port4 to gateway of ISP router gateway 10.18.152.1 is reachable.

From port4 to AWS EC2 subnet 10.18.144.0/24 is reachable. 

AWS EC2 subnet to ISP Router GW 10.18.152.1 is reachable.

From port 9 to port 4 / 10.18.152.4 is reachable

 

not working

LAN port 9 to port 4's gateway 10.18.152.1 is not reachable.

AWS EC2 to port 4 (10.18.152.4) is not reachable.

 

FW polices are

port 9 to port 4 > all traffic allowed

Port 4 t port 9 > all traffic allowed

 

static route are configured in FW for DX

10.18.152.0 GW 10.18.152.1

10.18.147.0 GW 10.18.152.1

 

all interface have ping, ssh, htttps are allowed

 

i can see data on outbound policy and accepted ( port9 to port4) but no reverse traffic.

 

in reverse traffic from AWS to Port 4 10.18.152.4 coming through IPsec VPN instead of Direct Connect.

 

Please could you advise what mistake i am doing. 

 

 

Thank you for your help.

 

Best answer by Toshi_Esumi

First, your diagram is not matching your description. In the diagram port9 is the internet port then LAN side is port15.
Then, have you set up ECMP w/ BGP on the FGT to have parallel routes for all prefix advertised from AWS? Do you see all of them duplicated in your routing table (get router info routing-t all) except those two you set static routes?
And, are you sure your FGT is really NOT sending packets to port4 by sniffing the port or flow debugging? Based on your description, I would guess the FGT is sending the port4 but AWS is replying through a different path (IPsec).

Toshi

2 replies

Toshi_Esumi
SuperUser
Toshi_EsumiAnswer
SuperUser
March 9, 2026

First, your diagram is not matching your description. In the diagram port9 is the internet port then LAN side is port15.
Then, have you set up ECMP w/ BGP on the FGT to have parallel routes for all prefix advertised from AWS? Do you see all of them duplicated in your routing table (get router info routing-t all) except those two you set static routes?
And, are you sure your FGT is really NOT sending packets to port4 by sniffing the port or flow debugging? Based on your description, I would guess the FGT is sending the port4 but AWS is replying through a different path (IPsec).

Toshi

indersharma7
indersharma7Author
New Member
March 12, 2026

Hi Toshi,

thanks for your suggestion and pointing out the solution. apologies network diagram created in hurry.

 

Summary ( in my case)

Port 9 > internet port > by this port IPsec VPN are connected with AWS.

Port 15 > LAN > 

Port 4 > recently connected with AWS direct-connected / MPLS 

 

issue was - traffic was not going out from Port 15 ( LAN) > to Port 4 ( MPLS/Direct connect) > towards AWS.

 

2 simple firewall policies were created > Port 15 to Port 4 ( allow all traffic) and reverse.

configured static route as i given in my first query.  but traffic was not reaching by port 15 interface.

 

Traffic was reaching to AWS only through port 4 interface. because it is directly connected and route is being advertised in AWS by ISP.

 

after being diagnosed, as you pointed. route is not being advertised into AWS. this is the reason networking is not working.

 

As i am not using BGP in fortigate firewall and without this, I m trying to establish the networking through firewall policy. 

 

AWS side has no route in their table. because firewall policy , i believe not able to advertise route.

 

As has been advised, BGP need to configure on on-site firewall or ISP needs to advertise route on behalf of us.

 

issue didn't resolve yet but found the cause. thanks 

 

ede_pfau
SuperUser
ede_pfau
SuperUser
March 12, 2026

I agree to Toshi's remarks. The FGT is a router first, then a firewall. In your case, routing is not set up properly on the AWS side (how should "AWS" guess that there is now a second path to you?).

 

Your static routes are...mostly correct. For any subnet on a port (physical or VLAN), the FGT will create a route automatically. So the route "10.18.152.0 GW 10.18.152.1" is not needed at all, as the FGT is in this same subnet and doesn't route at all for traffic to 10.18.152.1.

 

Anyway, without an additional route on the AWS side this will not work. You could set up weights for each path to denominate which one is preferable (-> BGP).

Terms & ConditionsAccessibility statement