Yeah.

00:37

So this destination PC is is any like other third party accountant and they have their own,
correct?

00:49

Yes, that's correct.

06:48

Yes, ohh Sudheesh, I'm just confirming.

07:01

Under extension, there areTwo TLA attachments, right?

07:10

Okay.

07:14

Yeah, inspection.

07:16

Yeah, inspection will be...

07:19

Just a second.

07:21

Yeah, inspection will be seeing 75 .

07:27

And when we plot third-party transit it is ending with 0137.

07:37

Now, uh in this inspection, we will be seeing it will be translated to a round table.

07:47

In this inspection, we will be seeing it translate to a round table.

07:56

Yeah.

08:00

So, there is a default route pointing towards some another clearingLet me share this on the page.

08:09

So what this one is, this one is the route, the default route was transit gateway clearing
attachment.

08:16

Uh And this attachment, this attachment is redford, is associated with another transit gateway
connecting.

08:25

Let me share with this one.

08:26

CMC ending in CMC.

08:34

yeah And as per the architecture which I found on the internal case, so that transit detail should
be this one.

08:46

0137.

08:58

So I would not be able to share this screen.

09:06

yeah So what you are telling me is...

09:20

Yes, I can see that too.

09:22

This is your...
09:25

This is your project between which one?

09:29

Now just go to that extension.

09:31

Just go to the inspection UPC.

09:34

Inspection UPC attachment.

09:36

Let me share with the inspection.

09:59

Yeah, so...

10:02

See, yeah, so this is internet computing basically.

10:08

But you know right now, wait one second.

10:10

So, you know, all this 252, the destination is 250, 250 is the third party, right?

10:18

Yeah.

10:19

If you look at the diagram, our destination is 252 in 254, these are our third parties.

12:01

So like do you have this or something?

12:46

I sent you a link for you.

13:03

Can you see that?

13:12

It's showing me error.

13:46

Yeah, sure.

13:48

I'll be here.

13:51

I think we might need to switch over.

13:57

Hey, Satish.

14:01

Yeah, so, yeah, do whatever you need.

14:09

Satish, can I also ask, we use this meeting, claims chat,for this purpose because the verifiers can't
see that other Teams umm chat.

14:21

That's the one that I think they're just pinged on there.

14:24

Maybe it's on this chat, after this chat.

14:26

Yeah, great to know.

14:27

That's really beautiful.

14:29
Thank you.

14:30

Yeah, this should be greatly invited.

14:33

I can let you use this Teams chat as well for me.

14:35

And I hope all parties have the next thoughts.

17:40

Hey, Josh.

17:41

Thank you, Johnny.

17:42

Hello.

17:50

Joshua, can you start sharing his screen for us then, please?

17:54

OK, ready.

18:06

So what do you want to look at first?

18:10

So can you can we try capturing what is our next floor should beIf everyone was seeing the
screen, that's the definition that you see, they will already explore that.

18:26

So yeah.

18:29

Can you search even this .

18:34

I'm already on that, so put it again.

18:47

So which one is that on?

18:50

You can search for 10.240, OK, you already see this traffic, right?

18:52

10 to 4254, we would like to...

18:55

No, no, noSo this is the source.

18:59

You're also...

19:00

OK, OK, this is perfect.

19:04

So you see anything other way around?

19:08

No, that is what.

19:09

I'm not able to see the thing from your...

19:11

Oh, OK.

19:40

So from this 10.2 portage, you are not receiving any mapping as well, right?

19:46

Yes, yes, as you can see.

19:49

I'm not able to say anything.

19:52

Uh, on the firewall, do you see the allow logs, the inspection?

19:56

Yeah.

19:58

And the routing on that firewall is, like in the routing of that firewall for this IP, 10.175
ispointing towards the doesn't have the routes on the firewall towards like to the transit gateway
or let's say the TPC endpoint.

20:21

Oh, okay, Mark.

20:28

We can do one thing, we can take the low load zone clearing attached.

20:36

On this is a .

20:40

Can you tell me the, in the, now let us do this, the time waiting?

21:00

Uh, sure.

21:10

So this this PGW has this bearing on an OEB.

21:38

No, it's not.

21:40

Yeah, yeah, yeahYeah, so...

22:04
Can you just copy this log with that?

22:06

No, hold on, hold on.

22:11

You can just select it now.

22:13

Paste button.

22:14

Uh, yeah.

24:03

...

24:03

...

24:06

can you see in the fiber?

24:10

I don't see anything.

24:11

Just something now.

24:11

Bear with me, please.

24:31

So I can see Genesis trying to talk to Behrend.

24:36

that I'm getting no replies.

24:37
So it's getting to the third party inspection firewall, umm and then once it goes out, we don't
know where it's going.

24:46

Like it may not be getting to Behrend, but I can't say because I've got nothing back.

24:52

So I know it's getting as far as the firewalls.

24:56

Have we tried initiating from the Behrends end?

25:00

Yeah, then you can also where they have continuous things.

25:04

Okay, yeah, I'm not seeing anything on the first firewall from Barent, but I can see Genesis
originated traffic.

25:20

Okay, so second firewall, I can see the Barent coming in as well, and it's the same as the other
day.

25:25

So it comes into Barent, hits the firewall, goes off, we don't see anything back.

25:31

Let me just check east-west to see if we can confirm that.

25:37

the other day we didn't see it arriving in east west.

25:42

Okay.

25:42

Okay, then everything we can say...

25:48
I would be thinking then, just give me a few seconds to confirm that.

25:52

Yeah.

25:56

If that is the case, then whatever work we did to send it over to the inspection is kind of black
hole to reply to.

26:03

Yeah.

26:16

So...

26:17

nothing in East-West, anything originated from Genesis is not making this far as East-West.

26:24

Yeah.

26:24

So, Yesh, I just want to let you know, in the last meeting that we did, if you see my screen,There
was a 10-00/8 going to our existing .

26:38

And it's like, you know, why .

26:40

We removed the .

26:46

That's when we started seeing the .

27:06

I think that is not required because you have already appointed a default route towards your
firewall, right?

27:13
To the third party party.

27:19

Because this this default route which has a target towards VPC, then further this traffic will go to
the firewall, right?

27:28

And then the firewall will inspect and forward this traffic backto the endpoint and then the
endpoint will forward this traffic to the transit window, correct?

27:40

Yeah.

27:41

So that that is the case here.

27:46

Yeah, yeah this is correct.

27:47

There is an issue here.

27:52

Can you check the default format for this transit window products?

27:58

Just go to the attachment 91s.

28:00

Yeah, what is the government...

28:02

Can you just...

28:04

Can you just share it with me?

28:13

Yeah, written that much it is...

29:27

In this transit, you can see our source is uh from the destination VPC which is 1017.

29:37

We are not seeing source as 10240.

29:41

So what I'm what I'm saying is you know this is correct.

29:45

The traffic is from third party.

29:46

So we are in third party but once it goes to the inspection firewall right, then it just disappears.

29:55

And still it's coming till our new country and then sending to them.

30:04

This traffic doesn't appear?

30:05

Yeah, it doesn't appear on the unknown street.

30:10

So does it come out or can it come out of the inspection VPC?

30:16

Yeah.

30:18

Where we have the...

30:22

Yeah.

30:22

We have the...
30:26

Inspection VPC, then you have a ring appearing attached to it.

30:29

UhCDC, okay, this is your East-West VPC, then CDC, then CDC.

30:53

Let's take another transit geter goal of this CD, peering attachment between the East-West VPC
instruction.

31:05

Let me just grab the attachment.

31:09

I'll just share it in the client chat.

31:30

Yeah, yeah right.

31:32

Just open the open the flow logs.

31:45

Yeah, that.

31:58

This is for the different source and right?

32:02

Did you search for the earlier one which we were searching?

32:06

Uh, okay.

32:10

Yeah, it was a 255, 156 was the source, right?

32:16
255 or 156?

32:23

Yeah.

32:28

From on-prem to the...

32:29

This is on-prem to the destination on on-prem to...

32:35

There is something in between this, like there is something in the inspection which is not
allowing for Akit to go through from destination to source or from source to destination.

32:48

Okay, so I just jumped in.

32:52

James here.

32:53

The inspection DTC...

32:56

actually it's pretty open, so we're allowing no traffic flow.

33:01

But there's one thing to change, like if the traffic is by default open, right, if we are considering
explicitly anything.

33:10

Uh But we should be able to see the traffic on the attachments, right?

33:15

Like from the firewall, the traffic should reach the attachments.

33:21

So we have two special businesses.

33:24

And when we initiate from one site, we see it in the first inspection agency, which should then go
through our second transit gateway to the second inspection agency.

33:34

We never see it arrive in the second inspection agency.

33:43

I show you for the firewall.

33:53

So, there are two inspections because the first is east-west, right?

33:57

And another is...

33:58

So, traffic from east-west is getting introduced to the inspection which we see which is
currently...

34:10

Sorry, Yash, just to confirm, so it was coming from the east-west side, we see it in east-west,
then we see it in the...

34:20

in the new spectrum that you see, okay, but we we never see a reply.

34:24

So we see, I could send and unreceive.

34:27

Now if I, if we do it the other way, and also, we see traffic going to the new spectrum there, if
you see, when it leaves the east, it never hits the east-west one.

34:42

Sorry, I think, but I think something...

34:49

the routing or is it, you know, maybe the...

34:53

So we have NACL as well, you know, if I show, if I, you know, get the system...

34:59

We have the NACL services, but let me show you the subnets...

35:06

Okay, so if you see, okay, I will get my NACL document open.

35:18

Hello.

35:18

Yeah.

35:20

If I look at this management one, yeah, because maybe the thing is not...

35:27

Mostly...

35:28

Yeah, it is all UM, then it is fine.

35:35

ICF is good for management, also...

35:47

One more thing, the security group on the server.

35:51

On the server, you have the security group.

35:54

Let's see something in the block.

35:59

Here we have only, okay maybe this, maybe the issue.

36:03

Yeah, because here you have the 443 is allowed.

36:05

So again, what is the, you know, I'm looking at security groups at the new instruction file.

36:15

What will be the idealIt's not a good idea to be open, yeahIn the asks, if we can open that, yeah.

36:24

So on the inspection, you can see we're basically allowing the 10 network to the 10 network in
vice processor, so it's a lot more open than it should be.

36:34

Okay, so outbound, right?

36:36

Outbound, what I've done is open to 10/8, outbound.

36:39

So what, yes, if outbound is allowed, yeah, in most, it has to be allowed, but yeah, I can...

36:45

You know, just to...

36:46

Yeah, for the test-bound plus...

36:51

And then what I can do is I can just open all packages.

37:12

So this is inbound group or the traffic which will arrive from the destination, right?

37:19

Yeah.

37:21
I think now it should work.

37:25

Let's, let's try...

37:28

Let's...

37:29

Because...

37:31

Liam, it wasn't checking.

37:33

Uh, not getting any, uh..

37:37

No.

37:38

I've got a consistentLeon, can you just ping the IP which you are trying to bring and also this
website which you are bringing?

38:14

Yeah, they're all, yeah.

38:15

I've got a total of eight different.

38:20

So currently which one you tested so we can take...

38:25

Ohh They're all running.

38:38

There's a 10-240 here is the testing mixture at 10175.

38:58

So currently these things are running from destination account, right, Sadhu?

39:02

No, noSo what EM is running is from Medivang side.

39:06

Okay.

39:08

OkaySo these are the docs, these are the current things, right?

39:18

Yeah, in the last five minutes.

39:20

Okay.

39:26

74264.

39:29

Okay, so currently increase is getting allowed for fix, right?

39:34

Yeah, yeah, okay.

39:36

So this is going into the inspection, if we see the firewall, then we should be able to seeOK, so
can you please check again logs on this attachment?

40:36

Yeah, 2DDB.

40:37

Yeah, 2DDB.

40:40
And check for the latestYeah.

40:50

We should be able to see where we are allowed in place.

40:57

Okay, means traffic is not arranged in the attachments.

41:03

Yeah, this one is the peering attachment between inspection UPC and this destination among the
UPC.

41:13

Yeah, and the main one there.

41:50

This is your, yeah, this is the...

41:53

Okay, this is the inspection VPC, right?

41:58

Yeah, we want to inspect all the...

42:03

Wait, waitThis is the round table for which this is inspection VPC route table?

42:08

No, no, thisattachment of this router.

42:18

Yeah, yeah, yeah, correct, correct.

42:23

Let me check the peer attachment.

42:27

There should be route towards...

42:31

Next, there is another route.

42:38

So for the destination10-17-20 is very interesting.

42:52

Okay, yeah, so yeah, here the route is there for 10-170, I think, 10-175, 10-150 power.

43:02

That's the second one.

43:05

I think, no, no, I think hereHow it is not required because once the traffic lands on the peering
attachment but see what is happening right now the traffic itself is not arriving at peering
attachment, right?

43:24

We're making the peering attachment?

43:28

Yeah, the peering attachment between the third party and installation ATC.

43:32

Okay.

43:33

Yeah, we just saw, right, in the flow last.

43:38

Yeah.

44:47

Here we don't need to require to add the route because what will happen?

45:09

UhOnce firewall forward the traffic to VPC at one right again, then VPC on endpoint has the
subnet has the default route towards peering attachment, correct?
45:19

Now once traffic land on the peering attachment, it will report the route table of this another
another transit peering attachment which was your third party transit gateway.

45:31

137 peering and in in that peering attachment route table all the routes are there 10, 175, 10, 175,
253 routes are there.

45:41

Okay.

45:43

Shashi, can you just show us the route table, you know, the peering is routing.

45:51

Yeah, yeahIt's such a...

45:55

So most likely the traffic is when getting inspected from firewall, it is got arranged at the peering
or the peering attached.

46:10

Yeah, this one.

46:11

Then traffic will filter or get inspected by the firewall.

46:14

Firewall should send this traffic to VPG endpoint.

46:19

And then the VPG endpoint will forward this traffic to the proper attached.

46:25

According to the round table.

46:32

.........
48:26

Or else what we can do, just to confirm if the traffic is not arriving at the peering attachment, we
can take step by step flow logs fromInspection VPC attachment and then PLU attachment so we
can get a...

48:58

Sir, call me here.

49:04

Hello?

49:15

uh yeah traffic inspection VPC ...

49:32

...

52:33

Yeah, Satish, can you check the flow logs on this inspection UPC attachment once?

52:40

Then something goes step by step and report table.

52:45

So I can share with your attachment ID.

52:57

Firstly, let's see from on-prem, the traffic's arrived entered.

53:02

Inspection...

53:03

00 a.m.

53:18

Sir, then yeah just just search with the...

53:25
Okay, this one is, so let's just understand, okay, time 240 is the source, time 1 certified
destination.

53:33

Okay, so this is showing an egress traffic.

53:36

Okay, yes.

53:38

Just, you just paste this logs in the chat.

53:41

Yeah, let me see all the egress.

53:47

All are in egress, right?

53:49

Just all, there is no egress traffic.

53:56

There is no investor.

54:06

Just allow me one minute...

54:14

Hello?

54:15

Sayal?

54:18

Um..

54:19

Yay on the log.

54:21

BSB inspection which is your attachmentInspection VPC attachment.

55:00

Inspection VPC for 75F.

55:10

K is 11C, a PRing attachment.

55:14

A PRing attachment.

57:13

Destination here...

57:15

time 175.

57:31

AttachmentAttachment attachment.

57:48

East-West traffic.

57:50

This inspection.

Under the yeah, open the flow logs again.

00:14

Yeah, this is your inspection.

00:15

You can see attachment ID flow log, right?

00:19
OK, just see this attachment.

00:22

This is the source, right?

00:23

1024054156.

00:26

And destination is 10175.

00:28

Now the first line which we see that the Uh traffic is arriving at the attachment TGW 58D means
this is the source attachment right?

00:41

And beside given is our source inspection VPC and the subnet.

00:46

Now the traffic is getting egress on the attachment ID 11/0 C 70.

00:53

So this is basically your bearing attachment for east West, right?

I think there is one routing issue is there when traffic is moving out of the inspection ETC right
on the inspection ETC attachment.

01:40

You can see it is going back again to the same peering attachment to the east, West, correct.

01:48

OK, yeah.

01:50

So what I can see in the transit gate.

01:55

to the route tables for the inspection APC.

01:59

So it's one inspection APC.

02:16

So yeah, just a second.

02:18

I'll just do.

02:46

All destinations, 10175 during attachment.

04:14

Can you see which on this routing this transit to the roundtable associated to which attachment I
just shared in the chat.

04:23

Can you see this transit to the roundtable?

04:31

The search for this yeah.

04:38

Yeah, associated with the East West and also the main East West and also OK in the diagram if I
show you this one.

04:44

OK, you need to see East West, right?

04:47

Yeah, yeahSo this is OK.

04:50

So for on the East West tracking for 175, then on 175 is forwarding our PRA for PRA.

05:05

OK, so I'm going to show that there is any issue with the routing, but still I'm not sure why it is
forwarding routing back to the peering attachment.
05:17

Can you see this routable?

05:19

Yeah.

05:21

What is this B63C?

05:24

This is not the existing or existing CDC attachment attachment for the peering one.

05:31

OK, does this look correct?

05:33

I mean, we are sending everything to each first for internal ones.

05:36

Okay.

05:37

To internal anything here pointing to 10, 240 and there is a default route pointing towards .

05:44

This is not solved.

05:49

This is not solved.

05:52

Okay, this is fine.

05:55

Okay.

05:55

These are .
05:57

So do we do not have route for 10, 175?

06:02

Yeah, but what I know understood that there's no 175 here.

06:06

That's why I wanted to check, you know, let's say that let's let's say source is our on 10 and the
OK finish is correct.

06:13

Yeah.

06:13

So it is this firewall.

06:16

And then so here we are saying 10175 go to the PRE, right.

06:21

So yeah, that's a sorry search with this item.

06:27

No, I I have.

06:29

I mean they look with source type PRE, right.

06:31

Yeah.

06:32

Yeah, the 101 simplified step was to the pairing, pairing attachment and then attachment, you
know, is with the inspection.

06:39

So this is this one, right?

06:42
AADAA is this one.

06:48

AADA, yeah, but AADA is fine, but the other side of the gateway, this is the attachment, pairing
attachment.

06:55

So we should click this one.

06:56

Yeah, that means this is eastwest and forward traffic.

07:01

OK, inspection, VPC, why this attachment, why it's attachment and not the not the not attached.

07:09

That's why we don't have 10175 here.

07:11

OK, let's look at the destination and the destination.

07:17

We should look at the and the destination.

07:22

Can you can you take just take VPC flow load off the inspection VPC once?

07:30

Because we see whether traffic is moving back to the east-west peering attachment.

07:59

He's best in the world, not the greatest in this year.

09:24

Set it to.

10:22

Yes.
10:24

I don't know.

10:27

Is there any, is there any destination port which we can test?

10:34

Yeah, instead of being we can we telnet or something?

10:41

Yeah, there is.

10:42

And I've tried that.

10:43

I'll try to get it gone.

10:46

I'm gonna try a few ports now.

10:55

Trying 5062.

11:11

Danny, you still there?

11:14

UmmSo on this one we have seen one inspection.

11:37

This is the source and the source ENI.

Yeah, it's probably getting dropped on the file, right?

00:19

Yeah.

00:22
Only thing is allowed by the firewall, but we maybe we can ask James to open some other code.

00:29

Yeah, there should be a set of rules that are allowed.

00:33

This is some of the rules which submitted being allowed.

00:39

You wanted to ask James to open something?

00:51

Yeah, yeah, yeahI didn't ask.

01:37

ICMP was being allowed a little more bypass than the inspection VPC was changed.

01:44

Yeah, the because it was not going right.

01:48

So yeah, we have made some changes to that.

01:51

That's why you knowYeah.

01:53

So the firewall is allowing ICMP through or not.

01:58

Yeah, firewall is allowing ICMP, but it's not allowing other ports.

02:02

Sure.

02:03

But what I'm getting at is ICMP was working when we were bypassing the.

02:08
Oh yeah, you're saying it's allowed.

02:12

Yeah, correct.

02:12

So this doesn't matter to me.

02:15

Yes.

02:15

So yes.

02:16

Yeah, yes.

02:16

You know, when when the when we started working on the way.

02:22

So yeah, when it was working.

02:26

Yeah.

02:27

So yeah, definitely there might be some block.

02:31

SG on the firewall.

02:34

If we are bypassing that it is working, then it is probably architecture is fine.

02:43

OK, maybe but ICMT work.

02:50
So you think there's something wrong with the firewall?

02:53

Yeah, James is working the code now.

02:56

That's it.

02:57

So we will ask him to open some codes.

03:04

OK.

03:12

It's strange though because James was saying he saw ICMP out pounds.

04:46

But why is it getting blocked in when I'm seeing that in the 14 measure?

04:52

It shows, it shows that it's one number one.

05:54

I will only show you East West.

The CNP also it can still issues there.

00:06

Yeah.

00:06

Anyway he said he will open another.

00:10

So the traffic is one way, one way.

00:13

So it's in east, West, whatever.

00:14

OK, OK, OK, but nothing is.

02:31

Yeah, we'll just add something new.

02:38

Yeah.

02:40

And so according to the routing, it's fine.

02:54

Yeah.

02:54

And I can talk with the so.

03:03

So currently like the traffic is getting allowed from the firewall like it was saying like it is a one
way traffic.

03:13

But yeah, the last network recently changed.

03:21

OK, we have this.

03:36

You can, yeah.

03:38

I I gave him 2000 to.

03:41

You can send the 5 to both, yeah.

03:42
I can do 5 to.

04:01

This helps you.

04:12

Oh, I've already given it to you.

05:02

Which means it is sending me forward.

05:06

Yeah, yeahI mean, I don't know if it's getting to the other end and the sim is getting dropped,
being dropped or the sim is not getting there.

05:21

Maybe you can see it in the logs along the way.

06:05

So this is the or the main inspection.

06:07

This is the main inspection traffic is going through the inspection we see.

06:16

Now can you just click on the open the details.

06:39

Let's check the routing for 10175 on this firewall when it is forwarding to because we need to
check the routing where the firewall is forwarding OK.

07:09

I'm thinking that at this point, my new review is to you.

07:15

Magnifier is forwarding you.

07:20

I'm sorry.
07:23

Regardless, anticipate this is still single.

07:32

So James wants to show wants to see how you are forwarding the traffic to.

07:39

So yeah, James, if we can help with like from the firework inspection firewall where the traffic is
routed for this 10 or 175?

07:56

Because on inspection firewall, we can see only one way perfect.

08:03

Yes, that's right.

08:04

I think we see traffic going into the inspection firewall.

08:08

It never gets a reply from its destination.

08:10

Yeah.

08:13

So, yeah, can we get some?

08:16

We know it's getting into the firewall just fine.

08:19

Yeah, it's the ramps out from the inspection firewalls and if there's no PC that we need to check,
yes.

08:26

So like I want to check basically on the the firewall has the internal routes also, right, like for
10175 it is pointing towards some LAN or so, so citation you go to network place and set
advance.
08:46

So we're basically sending everything over the the Jenny interfaces.

08:53

We have one per AZ.

09:06

We also have a policy ramps.

09:10

So this says whatever AZ the traffic comes in on, make sure it goes out.

09:16

with the same AC.

09:17

So we just forward back out to the big reload dots at any time.

09:33

Just start all in a minute.

10:19

Can you just run a constant ping for me?

10:22

Just to break that down?

10:25

Ping to fast?

10:28

Just open your terminal?

10:30

Yeah.

10:30

Yeah, just to ping 10, 11, 0, 2.4.

10:37

Yeah.

10:43

Okay.

10:44

All right, he's not talking.

10:46

I just wanted to check that.

10:47

I don't know why you're getting that as fast.

11:27

Firewall gateway load balance traffic forward the inspection to firewall the traffic east West of
us looking for another one.

11:53

Satish, can you just let me take that screenshot for the I think we need we need to involve to see.

12:20

This is forwarding traffic.

12:46

Yeah, there's no gateway on that because it's a tunnel interface.

12:52

So the tunnel interface is configured separately.

12:54

That's just for the start of that.

12:56

It's the same on east, West and north-south.

12:58
OK, yeah.

14:23

We might need to open the because we can only see this ohh one way traffic right on the fire.

14:41

So we need to change the traffic or not.

15:16

So, till the firewall, it is fine.

15:18

We are seeing the ether, but now after we need to check where it is going.

So the log which to the log which we saw were on the inspection, not on the eastwest building,
right?

00:26

Yeah, yeah, they allowed.

00:29

Yeah, the allowed one which we saw one way traffic logs.

00:32

Yeah, it is.

00:35

It is this first or inspection.

00:41

This is the inspection.

00:43

So this is the main part right between the distribution account and this.

00:59
Yeah, this is the.

01:03

OK, yeah, OK.

01:07

It is going out, but there is not zero bytes.

01:13

Traffic is getting forwarded by East West and there is no issue over there.

01:18

It is coming over there and it is going to inspection PC here.

01:27

There is no issue or else the traffic is.

02:57

I just sent the link here.

03:44

I'm well.

03:44

Thank you.

03:47

Yeah.

03:50

So I see you mentioned checking that you can look on that a lot in the case.

03:56

Yeah, so I just want, I just explained the new architectures that we have.

04:02

Yeah, so currently what we're seeing is we are seeing one bit traffic, you know.

04:07
One bit traffic.

04:08

One bit traffic and no response.

04:12

No response from?

04:14

Yeah.

04:14

So it's not like no response.

04:16

We don't know, you know what's happening at this inspection.

04:20

So I just we have a server at on premises here Genesis and we have to connect to the third party
account and we'll an example of and the and our existing transit gateway and then and then
comes back to instant transit gateway.

04:41

It goes to the new transit gateway and then.

04:44

It inspects in the, you know, new subnet, but after that, it just drops.

04:51

You don't see anything after this new inspection.

04:59

Are you seeing, are you seeing the ingress on the inspection file?

05:05

Yeah, we see the but nothing more response.

05:10

It just drops after that.

05:13

OK, so yes, yeah, so Victoria, I just, I just pasted the traffic flow on the set.

05:20

So basically what is happening.

05:22

So when traffic arrives from the on premise, there is one East West firewall which will perform
the inspection then pass over traffic to me another inspection firewall.

05:34

So from East West traffic gets inspected and then over the peering attachment it goes to another.

05:41

Uh, inspection VPC which has the firewall and then that firewall will again perform the
expression and uh hand over the traffic to the peering attachment with another account.

05:51

OK, uh, so basically the third party account is the destination.

05:55

So what we are seeing like on the firewall we can only just see the one way traffic like the traffic
is going out but there is no response back.

06:06

So we just wanted to check like so this can you show that firewall runs inspection VPC firewall.

06:14

Yeah.

06:15

So can you see Victoria the logs so basically.

06:21

So actually this is the routing under the firewall.

06:25

So we are sending different traffic S/A towards this green-way load balance endpoint on EZA,
EZB and EZC, right?
06:34

So, and after that, when we check the logs.

06:42

Yeah, so we are seeing only forward traffic going out.

06:46

So there is no retail traffic.

06:48

UhCan you help us like taking a log on the side to check if the firewall is sending back this
traffic to the endpoints and then further it is going towards the transit gate or not.

07:06

OK, so from load balancer perspective, yes, we only we do only have BTC flow logs.

07:16

OK, yeah.

07:17

Those those are the only in terms of logs to have a look at.

07:21

We only have flow logs that are available at the gateway point.

07:26

Yeah of view.

07:28

Maybe one I would like to ask on the transit gateway side of things, have you enabled appliance
mode?

07:35

Yeah, on the on the gateway.

07:38

Yeah.

07:38
So appliance mode is enabled for both the inspection UPCS needs to extend the final inspection
PC.

07:46

We are seeing the traffic incoming, but yeah, on the firewall we are not able to see any response.

07:53

So we just wanted to verify the routing.

07:57

I saw, I verified the routing is correct, all the configuration routables are attached and all.

08:04

We just want to verifySo let's let's have a look at, I think you shared with me the load balancer
on the chat.

08:17

Could you confirm the region that you're looking at?

08:20

Because I think it's not Asian Pacific.

08:24

OK, then again, we'll need to see the VPC to reach the flow logs.

08:29

If the flow logs are there, we'll need to ensure that they're in custom format.

08:35

So that that would allow us to have a view on the gateway load balancer side of things.

08:40

But between the gateway load balancer and the firewall, these are on GENI.

08:45

So ideally from that perspective, we're not able to see anything much more than on what your
firewall appliance has to say.

08:55
So allow me to just check VPC flow logs and see what format they are in, if enabled.

09:04

Yes, allow me to, yeah, a moment, yeah.

09:37

Is it, is it, is it just to confirm again, is the traffic not being seen on the the inspection VPC in the
traffic flow that you shared on 75F?

10:03

This is where you are seeing no return traffic to the third party account.

10:11

Or is it as well not seen on the East West VPC where inspection VPC where it ends with BD244
on both the VPC's I think we are not able to see the return traffic.

10:30

Yes.

10:35

So in this diagram, this VPC, right, something is wrong either with this VPC, the traffic hits this
firewall, but after that, you know, the respond doesn't come at all.

10:50

Either some, you know, this kind of the third party, the traffic reaches this instructions VPC, but
after that it doesn't.

11:00

It just goes away.

11:08

Oh, you said this good.

11:09

Whatever the features of this service was back to this one.

11:14

Yeah, but from third party it will just.

11:38
I'm just looking at the VPC flow logs.

11:40

I'm not seeing the custom format.

11:44

I know you've also sent it on chat.

11:46

What I'm seeing here is I just enabled it to take some time.

11:51

Earlier it was the contact disabled the custom one.

11:55

It will take some time for the custom one to take effect.

12:02

OK, I'm on with that.

Let me just send on the team's chat to what the EMS is actually for me to do looking at.

00:13

I'm sending the case notes.

00:16

No, it's OK.

00:16

I can't see the team's chat here.

00:18

I'm one here as well.

00:20

So so that I I'm able to just so you want something, you know, just get rid of them.

00:27

So you want something to send it.

00:29

Do you see your lens?

00:32

Mm-hmmAre you seamlessly?

00:35

We're looking, yes.

00:35

I'm looking for the ENI.

00:36

The ENI is for the different new balancer.

00:40

Endpoints.

00:41

Yes, it is.

00:43

The endpoints, yeah.

00:44

The endpoints, not the...

00:47

Not the, yeah.

00:47

Okay.

00:48

Yeah.

00:50

Endpoints.
00:51

Endpoints.

01:03

Yeah, that's true.

01:06

I think you have year three, yeah.

01:10

Go to the subnet, the year nine there.

01:16

Could you also paste them on the JT news chat as well?

01:26

You can place that on the pins chat.

01:28

Yeah.

01:29

Thank you.

01:38

I'll just press all three first as well.

01:41

OK.

01:56

Are you actually testing as we as we practice?

02:00

The ping is changed.

02:03

OK, sure.
02:04

Thank you.

oh That's on the source.

00:26

We are now on the ENI funds.

01:10

So this is.

01:15

Could you, could you confirm the time?

01:18

Right now we are looking past.

01:22

let's go to custom let's go to custom let's see the time I'll just stop last 30 minutes from now let's
see.......

01:35

and I'm searching for the source againthis one, but there's some multiple things happening here.

02:02

Multiple things happening there.

02:06

This I do, there are multiple things.

02:09

But we need to be looking at the source of the of the the one that's sent in the king.

02:16

So you're looking at 10, 10, 20, so these are the ones that are sent in the king.

02:20

Yeah, that's right.

02:23

Okay.

02:24

Is that to Amanda?

02:29

Yeah.

02:32

Are you sending to...

02:51

All the traffic, currently this traffic is egress.

02:56

There is no egress traffic we can see getting out of the...

03:00

So this we can...

03:02

Just a moment, yes.

03:05

So this is on the C975 Air, just a moment.

03:13

So this 1032, thisSo the destination is to 253.36, correct?

03:26

Yeah, that's right.

03:27

So this is the source, 252.32, and 253.36.

03:32

So this is one of the source .

03:39

And you can tell that 255.253.36?

03:45

Yes, yeah.

03:58

And just go down together.

04:25

Is it possible just to do for me a download update?

04:30

Just want to go to the little download to the channel.

04:35

Like this?

04:37

Yeah, this week.

04:38

Is that in there?

04:39

Okay.

04:40

Yeah, let's just download this.

04:41

I'll take the sources and destination from the from the chat as well.

04:53

Yeah.

04:56

No, I need to start here with him.

05:05

I just said you manage that here.

05:20

Watching through the keys?

05:47

Yes.

05:47

You know that shunting?

05:49

Okay.

05:49

And you can also look through the number ENI as well.

05:55

And let's see whether you have any ICs corresponding to your software.

06:00

And you know the stages are not really for us, so I'll just add it here.

06:06

Okay.

06:06

I'm not able to attach it to the screen.

06:15

How are you know?

06:17

I'll screen a present actually.

07:01

OK, I think I'll come down.

07:04

We download this.

07:05

Just probably clearing all of that site that you know for a project meeting for now and then.

07:15

You can get a summary of where we're at please.

07:20

Yeah, you know, what's happening is...

07:28

...

07:29

where the property is getting dropped.

07:33

That's, you know, it's not like an easy step, because it involves multiple new components, and I
guess we got each and every layer.

07:44

We are able to pinpoint that the issue is...

07:46

we know where the issue is, but we actually don't know exactly.

07:50

Want to change because that's fine.

07:53

We haven't.

07:55

Did you?

07:56
I know Baron, the inspection on the test again because it did originally, originally go last
Wednesday.

08:06

Yeah.

08:06

Has that has that been attempted again?

08:08

Would that help?

08:09

Hello.

08:10

Yeah, we did not remove the inspection.

08:13

OK.

08:13

Yeah, yeah, yeahYeahOh, um, OK.

08:23

I thought the verifies would have asked you, but obviously not them.

08:30

We actually, in the design, there was no inspection procedure, because they already inspected
here, but...

08:48

08:52

Could you just look through the other logs?

08:55

I think they came in with a filter.

08:57

No worries.

08:58

But could you you have a look at the other ENIs?

09:09

Yes.

09:33

OK, transition.

09:36

Yes.

09:36

Do you want.

09:45

Let's go on to the next...

09:48

that's fine, thank you.

09:49

And then...

10:02

Okay.

10:04

Do you have any other thoughts sending traffic to this festival destination as well?

10:10

Yep, we have many.

10:12

Okay, and do we have both Ingress and Ingress on it?

10:15

10:29

10:40

10:46

Can you send this without any filter?

11:11

Last 30 minutes.

11:18

Yeah, and then just download it.

11:31

So yes, just to confirm, we are seeing...

11:35

So the ingress here on the traffic that you shared on the chat earlier, so the ingress here reaches
the 975F gateway in Bandanza endpoint.

11:46

And the next hub should be the transit gateway umm735B0DB, correct?

11:56

Yeah.

11:56

And when we look at the routing for for this, remind us going through together.

12:02

Yeah, so like we verify from the customers.

12:09
Yeah, yeah, sure.

12:13

I've gone through many times.

12:15

Thank you.

12:16

Sorry about that.

12:22

The simplest one what you see here, it is associated with all our VPCs, given the direct
connection gateway.

12:27

Everything is associated with this out table.

12:32

Here is what we are saying.

12:34

We are just saying M+8, inspect it with our east-west fiber.

12:40

This VPC is the east-west fiber VPC.

12:45

And this out table, our east-westWe searched for also associated with this content and this, you
know, for this table we have propagated everything.

12:57

We wanted to know around the data from cases, even other UPCs, right?

13:02

And also, we have some static, we have static rules for the clear impact.

13:11

So, in this case, 252.0/23 and 254.0/24.

13:18

These two we are pointing to the clearing attachment.

13:23

This clearing attachment is given to inspection.

13:29

Okay, can we see...

13:31

Can we see the groups?

13:32

Yeah, so now we should run...

13:35

Now, we should reach the attachment side of the new bandwidth...

13:41

Seriously the existing bandwidth...

13:44

Where the new bandwidth...

13:46

Yeah, in the...

13:48

Attachment of the steering assessment, we are sending everything to the inspection VTC and
inspection VTC.

14:00

Okay, this is the inspection VTC association.

14:06

9.5S.

14:07
So, for this route, we are sending M175, 252 and 254 to the period.

14:17

clearing attachment of external attachment, which is this one.

14:25

That doesn't make sense.

14:28

For this one, you will prepare the external one and it won't be.........

14:47

The main thing what we have observed, we are not seeing any from firewall because if the traffic
is better expected, then the traffic should be viewable based on the VPC .

15:12

One, yes, we are seeing that there are no egress packets.

15:16

However, I just want to see if from the routing table, I want to see that I think they have
downloaded this.

15:26

So, yes, I see there are no pieces.

15:28

And from the source of what I'm seeing here being 7252.32.

15:39

We'll see 1017255 as the package destination.

15:43

Just let me just get around.

15:48

Moment, I need to speak from...

18:06

This is the feature announcement.

22:22

Is it possible to take me to the DJ the Balancer endpoint?

22:31

Yeah, let's see.

22:32

Then let's just go to that.

22:38

Okay.

22:39

Yeah, so let's just look at that one moment.

22:50

Just go to the submit.

22:59

I'm just showing that.

23:00

So let's see.

23:31

So then the next option here is...

23:39

1017, that's local.

23:45

Anything else should go to the transit gateway.

23:48

And this is the one that's yet to the new PR require.

24:01

Endpoint will send to get the load balancer.

24:03

Get the load balancer send to the back end bandwidth.

24:07

And back end hardware, you know, there's no hardware we send to the endpoint.

24:18

So yeah, we're just looking at this.

24:20

Okay, if I go back, yeah, nothing will go back.

24:23

So this place here we're looking at isI give to the dependence of endpoints, let me just say.

24:31

Submit here, endpoints here.

24:42

UCB.

24:48

Just a moment.

24:53

I think I have that submit here.

25:10

...

25:18

So, appliance mode has to be enabled on the on the VPC attachment or...

25:22

Yeah, I think so, yes...

25:27

attachment, right?
25:29

No, it is not.

25:30

Yeah So, yes, you're confirming that on the inspection BPT assessment appliance mode has been
enabled.

26:01

Okay.

26:01

We can verify from the consolation once we do that actually.

26:46

And could we have a look at the file on the itself, or after we see this, the plan ?

26:51

Can we look at that?

26:58

Can we look at the firewall, just confirming we just went through, you mentioned on the
inspection VPC firewall we've already, I mean inspection VPC attachment we've enabled the
plans for.

27:10

Okay, cool.

27:12

Can we look at this, once you see on your firewall, I believe you are looking at the different
routes.

27:19

Is it possible to just verify, just go to your firewall again?

27:23

In this one, okay.

27:26

Yeah.
27:45

So on the firewall, are we able to see this particular packet ?

27:49

Do you want to see a packet capture?

28:00

I just want from the logs as well.

28:04

Yes, so if you look at the forward graphic, you see how the result is sent packets for no received.

28:12

So the the traffic is getting to the firewall, being sent out, but we don't see the return.

28:19

Okay, so let's look at first the ingress package as sent by the endpoint.

28:26

We see that again from the source.

28:27

So there is 252, correct?

28:32

This is what we'll be expecting from...

28:39

Yeah.

28:45

So I'm looking at, we're looking at the source to you as it goes to the new transit gateway.

28:56

It should be from the 214 to 252 or...

29:07

This is not the same though.

29:21

Yeah, yeah, yeah, yeahUh, Satish, it might be on the other far wall.

29:54

Okay, but, you know this I'm trying to apply here, but why is this not working?

29:59

Is it not overlaps?

30:02

Just clear it first, and do it again.

30:05

Okay.

30:15

So overlaps a bit, or is that meant?

30:19

I think just leave it as overlaps.

30:25

The last one, nothing is there.

30:27

Yeah, it's probably on the other part.

30:34

Yeah.

30:36

The last octet is 166.

31:01

umm I have also one of my colleagues joining the call.

31:04

Maybe just .
31:51

Yes.

31:51

You want to see 252.W.

32:04

Yes.

32:05

And here it is, 32.

32:30

So that's coming through ACC.

32:32

Okay, just a moment.

32:51

It goes back to 135, 253, 36, just to confirm again that's IP.

33:06

This is the one in the new transcript, correct?

33:12

Yeah, this is the new transcript.

33:21

Okay, and then this this is destination.

33:26

This is on the ingress.

33:33

And so once it receives it, can we see the the next packet thumbs up?

33:41

Let's see on this result.

33:45

Hello, this is from I don't know if you can hear me.

34:01

Yeah, we can use.

34:04

Um, sure.

34:04

On this...

34:06

is this held by destination or just...

34:11

There's not a lot of traffic coming through.

34:14

Uh..

34:14

Uh, okay.

34:14

I see.

34:14

I see.

34:14

Would you satisfy that for safety, please?

34:19

Uh..

34:20

532.
34:21

It's...

34:25

Okay.

34:28

I see...

34:29

source...

36:06

So, in this case...

36:08

Could you just select one of that control again from the panel?

36:14

Just select it, just want to see the details.

36:18

So could you just click on the interface?

36:21

three double details as you see.

36:23

So I want to see what parameters go on that feature.

36:28

And so this is the destination.

36:35

C is the...

36:39

3 is it the one...
36:43

more details from here.

36:48

Sorry, give me a moment.

37:29

Earlier on in the call you had showed me the three interfaces.

37:33

It was easy.

37:34

A, B and C.

37:35

Could you just navigate to that?

37:38

Sure.

37:39

So we have the static branch to them and we're routing the 10 networks to it.

37:44

Umm I can show you the the config if you want.

37:48

So these these are the GENI interfaces andThey should correspond to the AZs of Gateway Load
Balancer, the address.

38:04

Could you confirm that for me, please?

38:09

Yeah.

38:13
Yes, I have to go pick up my daughter from JK.

38:16

Can you-- I got this.

38:19

Yeah, thanks a lot.

38:27

Thank you, James.

38:28

We're just trying to see the the routing between now the inspection VPC in terms of the
endpoints of the AG and WP.

38:34

So just allow us some time just to see that.

38:39

Just pick the IEPs confirming, confirming ma'am.

38:42

Thanks.

39:35

ok So the markings are fine in terms of A, B, and C.

39:39

The due to independence and E&Is are currently mapped.

39:46

Yeah.

39:47

So now...

41:20

So, just give me a moment, I'm also giving a second eye on burn...
41:24

that brings section.

41:39

Could you just go to your VPC flow logs, please, on the cloud?

41:42

Uh, I'm not sure.

41:45

I will have access, um..

41:49

Okay.

41:49

Uh, bear with me.

41:51

Sure, no problem.

41:52

Let us know if you can.

42:09

Due to your inspection VPC...

42:13

...

42:13

click on the CloudWatch destination log link.

42:24

Just click on that.

42:29

Okay, and then just the most recent one?

42:34

So, what I'd like for you to do...

42:39

Just click on search all log streams.

42:41

Can you see the button search all log streams?

42:46

Okay, so I want you to put in your...

42:50

you can see maybe last hour or so.

42:52

When was the last test done?

42:53

Or is it continuous?

42:56

Yeah, it's continuous.

42:57

It's continuous being done.

42:59

So you could just put last 30 minutes or 10 minutes, I don't know, could use a custom filter.

43:05

And please touch with your source AP.

43:08

Okay.

43:08

Uh, I just type the address in.

43:12

Yeah.

43:12

...

43:12

No, just the AP, not the .

43:18

Here we go.

43:45

HmmOh, that's differently nice.

43:47

Could you just export this for me, please?

43:53

Sorry, could you just help me out with how you do this?

43:56

Could you go to actions?

43:59

Not sure.

44:01

Export.

44:02

Exporting CSV.

44:08

Download, download this.

44:09

So I want you to open it on Exo.

44:15

It's alright.

44:18

Man of the messages, isn't it?

44:21

Yeah, so I'm just trying to look at this.

44:26

It's...

44:27

Yeah, it's just on the message, so...

44:28

I just want you to put the filter on B.

44:34

Mm-hmmYep.

44:35

Just put the filter on B.

44:39

Um..

44:39

and such egress.

44:42

I think it's because it's not, there's a way we could do it, but let's just keep it simple.

44:47

Just type egress on the side.

44:48

I think it ought to apply the filter.

44:53

So, based on the format, it's field one, two, three, four.

45:02

I'm just trying to look at the packet source address, packet source is quick.

45:08

because it's quite nested deep in Uber.

45:14

So let's look at it.

45:16

So it is after the TCP flag and the type.

45:39

So based on this, if we look at this particular egress flow, let's see what ENI this is, what ENI is
this.

45:49

ENI is 41, A41, yeah.

45:54

YeahIt's a transit gateway attachment.

46:21

So, but on the ENR is A41, so this PGW attachment on which is on this that is on 2C.

46:45

So you can see this is the egress channel...

46:48

...

46:48

I can use that to ingress again, just change the filter to ingress.

47:03
So let me just scroll to the left a bit, let's see the ENI.

47:11

So the ENI here is E95.

49:38

Sorry, I'm just unmuting myself.

49:41

So, thank you for providing the medical suitability process.

49:48

I just wanted to clarify, so the medical suitability does mean once that were notified to the
organization service, it's a multi-disciplinary, it's not a screen or we have the .

50:02

And we have better representation in the medical suitability.

50:05

So it's assessing the donor in all aspects.

50:08

There is consensus within the group that there was this clarification around the decision making.

50:17

Um, we certainly.

51:10

Now, just a question.

51:11

Could you describe your file?

51:18

The file, the file, please.

51:24

The The one, I don't know which particular file you'd logged in, Ali.
51:31

There's a 156 and a 166.

51:35

So, let me ask, do you see any other return traffic for another destination or is it just only this...

51:44

...there's no return, and this is an official inspection.

51:48

BBC is new, so we came approved.

51:51

And previously, we had to wait with them without the inspection, but as soon as we did that, we
getSo essentially, you're not able to get any fix through irregardless of the source, so you're just
troubleshooting based on different sources, right?

52:12

So you don't have any successful flows through this particular setup?

52:18

Yeah, my question was, are you having any successful flows through this particular inspection
on WebPT?

52:30

of any kind, or just all of them are talking?

52:35

You know As I was saying, this inspection DPC is new, and this whole intrinsic gateway is new.

52:43

So we were able, like if I...

52:45

I'm showing you this briefly.

52:48

So we we are able to get it working both ways without the inspection DPC.
52:56

But it was originally working just routing between these two.

53:00

As soon as we added the inspection PPC, so for instance, if we start from here, we see it go into
the inspection PPC, we see it leave, but it never comes back.

53:11

Now, if we start from the other end, so we we have other firewalls here, I see it hit this firewall,
this inspection PPC, I see it hit this one, but then it's forwarded out, but we never see the return.

53:27

So it's like the return of,part of this.

53:29

That's why I think we need to look at the the egress from the inspection BPC, its routes, and then
the return.

53:37

Because we we just see, you know, zero bytes received.

53:43

I'll go back to your original question, so this is a new inspection BPC, so we have no other traffic
than this going through it.

53:51

All right, rightListed, listed.

53:53

So just checking on that because ideally what happens is when the traffic addresses to the VPC,
the first drop point will be the transit gateway subnets, they're routed to the firewall, the gateway
advance endpoint.

54:10

So the traffic is received back from the firewall on Geneve, the the gateway advance endpoint
will now make a routing decision based on the output.

54:20

on the return traffic from the firewall.

54:23

So, what I'm observing is I'm not seeing any any flows out.

54:30

I'm just curious.

54:33

Any flows out from the firewall?

54:35

Because here, my my expectation here would be ah on this, this is ingress page.

54:43

So we can see, we can see ingress flows going into the firewall.

54:52

Based on the endpoint, this is the Git Rule bouncer endpoint.

54:55

So my expectation would be, if you were to filter egress, just filter egress, I could see egress
flows with the same format, only that it's the same packet that went in as now egressing the Git
Rule bouncer endpoint after the inspection.

55:11

And I could see similar parameters, what direction is now.

55:15

egress from the Gateway Advance, but you see all the egress here are from the Gateway ENI
pressing into there.

55:23

So we can see the ingress traffic from the Gateway ENI, right?

55:28

This is F1 is Gateway ENI coming into the VPC.

55:34

We can see ingress traffic to the Gateway Advance endpoint.

55:38

Uh But now when we check for egress traffic now, we don't see any egress traffic fromIt will
burn the endpoint.

55:46

So, there has to be some disconnect there.

55:49

So I just want to see if I can't see any any metrics that will print.

55:53

There must be something that's that's not right.

55:57

So let me see if I can see any metrics on...

56:01

It will burn the internal metrics, if there's anything obvious that can point to a mismatch of
something.

56:06

So just give me a moment.

56:07

Do you have any MTU configurations on your...

56:12

Nothing...

56:14

nothing specifically said.

56:17

It'll be whatever the firewall default is.

56:21

So what's...

56:25
Yeah, just look it up, because...

56:28

Remember, the maximum MTU on petrol balance is 8500.

56:35

It definitely won't...

56:36

yeah, 1492, so 1500.

56:39

Oh, okay.

56:39

So it's 1500.

No, we've already done that, but we did try shutting down one of the firewalls, just to see if it
just happened to the firewall behavior, it's still the same.

00:15

Yeah, because I'm just thinking there has to be, there has to be something...

00:26

Are you able to travel?

00:27

Do you have a subject in the in the zone?

00:31

There is one in our scientist section with the city.

00:36

I'm just looking, because you need to have it in the section with the city.

00:46

Yeah, I don't know.

01:24
Uh..

01:25

Sorry, let me just...

01:30

I had a...

01:30

Oh, I think we got...

01:36

I think you think it's all right.

01:45

It's all right, just give me a moment.

01:48

Oh, there's quite a few...

01:51

Want us to do some check, okay?

01:53

I want you to go through the flow logs again.

01:56

I'll ask you to check something else.

02:02

Let's review the inspection VPC...

02:04

what the VPC...

02:06

I'm just curious on if you're getting jinny pads because if I'm not forwarding the jinny pads...

02:20
then I might not be receiving .

02:23

Well, well let's see.

02:26

Keep up the flow.

02:30

We'll start by the ..

02:31

You know, this is the second one, because the first one is the three.

02:37

So just click the destination where the cover flows.

02:41

So I was just a hunch on my side.

02:44

I might not be getting Geneva traffic back, so let me just ..

02:49

Sorry.

02:49

Let me send it, I think.

02:51

Sorry, send it to us on the link.

02:53

Just copy the text that I've sent on the...

02:56

The text is...

03:03
Yes.

03:03

Do you want you to start that particular ENI?

03:15

Yep.

03:16

But bear with me...

03:23

Uh, yep...

03:25

Are we looking for...

03:37

I think directional flows on this...

03:46

So you can see, this is 136, we're seeing.

03:51

So it looks like basically we should see both ways.

03:55

Yes, we should see the firewall also sending the traffic.

04:00

Because if we if we look at this, this is just, let me look at this font again here.

04:06

So just give me a second.

04:12

So the font,Sorry.

04:34
OK.

04:35

So the first is working account AD, then the interface is this source destination.

04:40

That is what I'm doing, source destination.

04:43

So if you look at this, we can see the source is 133.

04:47

This is just one of the zone or not.

04:52

No, no, noThat is the key of your firewall interface, right?

04:58

This is the interface on the interface that you'll be pointing to on your firewalls, right?

05:05

This is one of the like this.

05:06

So if you look at this particular, if you look at this particular traffic, we're only seeing
unidirectional traffic, right?

05:14

Just scroll down.

05:15

Just scroll down.

05:17

I'm just down at the bottom here.

05:19

Yeah, so if you look at this, we're seeing unidirectional traffic.

05:22

So it means, even on ENI level, people are about getting this traffic on its ENI.

05:29

So if, for example, if you switch to, let's say, the the culture port, you're currently using 443.

05:39

So you just search 443.

05:44

Now, do you see that?

05:47

I see it's...

05:48

You can see the reverse trophy.

05:51

Yeah.

05:51

From the ENI coming back to Gitu.

05:53

And you can see this is D5.

05:55

Okay.

05:56

C5.

05:57

Do we think something is not listening on the firewalls or...

06:09

but for some reason it's not recapitulating the packet and sending it back to .
06:14

So I don't know what's what's broken into me, because it looks like something I'm kidding.

06:19

Because the reason I , because I know I'm not seeing any drops on on the metrics.

06:25

So definitely not dropping any packets, then I should receive the .

06:39

Let me just...

07:23

I'm not really sure how to diagnose the tunnel.

07:28

I think it's just, see the rough or it's down.

07:31

It's definitely showing up.

07:41

I guess my question is, sorry, I'm looking at the wrong one.

07:47

No traffic is coming in to the firewall.

07:52

Sorry, I've got two connections to the same one.

08:05

So we know traffic is coming in.

08:09

For example, yes.

08:11

So you're saying you think the re-encapsulation after it's come in, we're having some issue there.
08:19

Yes, I think that's the problem.

08:21

For example, when you do this, let's go to the flow logs we just enabled.

08:29

For that, I'll give you the answer that's working, right?

08:32

Because the east west one.

08:35

It could be that particular...

08:37

Look, I'm still here.

08:38

We will see two way Beneath.

08:40

Yeah, we should be able to be...

08:42

So the issue here is just the traffic is not getting back to the faster.

08:46

Yeah.

08:46

So there must be something on the...

08:49

Beneath configuration that is not...

08:57

We have...
09:02

OK, so that's as simple as the interface, the Mac protocol, the IP address.

09:09

You guys have already confirmed for me that the endpoint is correct.

09:16

Um We know that.

09:23

Can I ask if you could...

09:27

run this command.

09:29

I'm just typing it up.

09:32

Where you are actually on the config system.

09:38

What was the command?

09:40

I'm going to send it to you.

09:43

I'm just picking this from one of the Fortrikate Appliances configurations.

09:50

Just a moment.

09:53

Let's see.

10:01

Just confirm it as well.

10:45

No problem, I can do this.

10:58

So, can you just for information, we have 133 and 118.

11:05

They are both different endpoints.

11:09

Yeah, I thought that there's two differentOK, so you can see the zones sending in new traffic on
an ephemeral report as the source.

11:51

These are.

12:04

Yeah, in and out.

12:08

Yeah.

12:10

Well, there's a supplemental and say that the towers will not match any free load.

12:16

Oh, yeah, that's a good point.

12:17

I was pretty sure that we weren't NAT-ing.

12:19

No, I'm going to...

12:21

Because ideally, it will run the same tuple, the same tuple, on the traffic, not disabled for our
policies.

12:30
OK.

12:32

So whatever this is on the moment, that's what I was looking at.

12:39

Maybe there could be some some points that's messing up because I guess if there was any
interference or maybe the Genevaders or something that usually has the.

12:52

the tunnel like in the headers, but I should have seen drops due to invalid to headers or
something like that.

12:58

So I don't see that.

12:59

We don't actually see any traffic.

13:01

But there must be a configuration that's separately causing this not to recapitulate the packets.

13:07

I don't know why, but the recapitulation seems not to be helping in the file.

13:13

Um, yeah.

13:13

We're using the same firmware version as East/West.

13:17

We can rule out anything with that.

14:06

We have policy.

14:07

We have a route.
14:23

So I can try one thing.

14:27

Umm In the routes, we don't have a gateway.

14:33

IP.

14:35

We just set the interface, but this is this is what we've done on east-west and that that works fine.

14:42

And we we have a north-south inspection.

14:46

That works fine.

14:47

So we just tell it, for this network, use this interface.

15:00

So that's what we have here.

15:17

So, what?

15:19

100.

15:19

I'm sorry?

15:23

No, I'm sorry about that.

15:29

Yeah, but we've got all this integration on there.

16:10

Hang on, now...

16:10

All right, wait, wait, type in...

16:30

Yeah.

16:36

OK.

16:39

I can't think of anything else, guys, why this wouldn't be working.

16:43

I'm wondering, it's getting late.

16:45

We've been working on this for a while.

16:46

Can we maybe reconvene tomorrow?

16:52

OK, that's fine.

16:53

Is it possible to just share with me the output for that from your Peter?

16:57

I'll be.

16:58

Yep, bear with me.

17:00

I'll just be sharing that for the case summary as well.

17:04

Just put that in.

17:11

I'll just put that in his chat.

17:13

OK, thank you.

17:16

In case I come across anything else that we might be looking at or need to look at...

17:23

So what I'll do, I will talk to the institution.

17:25

I'll get in to set up another meeting for tomorrow and we can continue troubleshooting.

17:32

No worries.

17:33

Thank you.

17:34

At least we've been able to see what we need to check on.

17:37

That's it.

17:37

Yeah, I appreciate your help.

17:40

Thank you very much.

17:42

Sorry, sorry, sorryIt's a value add that I can give at the meeting organizer.
17:49

Are you...

17:51

Victoria, you're in Yash...

18:01

Yeah, that's right.

18:02

So...

18:05

He's got the AWS case.

18:09

So I spoke to him, he's just, he can't join right now.

18:14

So he will be able to kick off another meeting tomorrow.

18:18

Okay.

18:18

I use the same case.

18:21

Yeah, sure, sureI guess I was asking, do you want me to set up another meeting?

18:27

No, no, just in case you can run through this and then we'll invite everyone.

18:34

Everything I've listened to, I must admit I've been in and out and multitasking...

18:40

From what I've heard since you've said since you've been doing this, it sounds like...
18:45

on the head of this...

18:49

There's something going on down where from the firewalls gateway load bounce.

18:52

Yeah.

18:53

Like, I'm not exactly sure what it is doing.

18:59

So...

19:00

Yeah, you want to use/teach work.

19:03

Organise setting up another meeting tomorrow.

19:06

I would probably cancel that if you want parents included, given their time zone.

19:13

I don't think we need parents.

19:14

As long as they're running their constant things, which they are, then we don't need them.

19:19

Alright, yeah, just maybe drop back into this meeting chat.

19:23

Because I set it up, and NTT is generating with both parents andSo if you put any updates into
this current meeting chat, you should see that, yeah.

19:36
If you set up another meeting, you'll be able to chat.

19:44

Thank you, James.

19:45

Thanks everyone.

19:47

Thanks everyone.

19:48

We'll catch up with you soon.

19:50

Thank you.

Oh, yeah, we saw that.

00:14

Was it on September 16th?

00:16

Yes, yesOK, so there is one case.

00:30

Yeah, so in this customer is trying to attach a route, like he's trying to announce the route table
with the peering attachment for the cloud.

00:44

So basically this is the traveling unit in US West 2 and this is the peering attachment with the
core network.

00:53

PGW attached R64 for this the customer is trying to announce the route tables.

01:00

Uh Now this particular transit gateway almost has around 171 route tables, right?

01:08
And what I found like the maximum number on this peering attachment, this one for this, which
is currently, yeah.

01:20

So this is the peering ID.

01:23

For the transit gateway attached to this phone network, right.

01:30

So the current limit which I can see.

01:34

So this is the limit right which which we have to see like how many route tables can we.

01:40

So go to the Cortana document.

01:42

This is double key, right?

01:43

Yeah.

01:45

So go to go to Cortana documents here like the cloud.

01:52

I have not reviewed it myself.

01:55

There is no use.

02:23

So what they do is, they will create a peering with the transit key.

02:30

Then using the peering, they will create the route table attachments.
02:35

But like in the cloud customer share, right?

02:38

So Indian, uh, yeah, the arrow is here to cloud the client's route table and not.

02:49

For this clearing attachment, this is the attachment I did not clearing with another.

02:58

I also want to see that in the public also that there is women.

03:07

It is a default limit currently set to 20 for clearing attachment with this one.

03:20

announcement.

03:22

Basically this is going to be for now.

03:37

What is that is what I'm seeing.

03:40

Maximum number of transit gateway optical announcement.

03:43

Basically optical announcement means it may create that attachment, the transit gatewayThat is
what it should be meaning routable adoption for creating a routing segment.

03:56

It goes here in attachments.

04:01

I have no idea what is limit like.

04:03
Go back to the customer that are.

04:06

If you search with that keyword, do you get something like?

04:10

It is just showing like round table announcement limit exceeded.

04:15

Yeah, that is transit table round table announcement limit exceeded.

04:25

Google it.

04:25

What does that show?

04:30

Oh, check the event name.

04:35

Can you copy that?

04:37

Yeah, search for the error message also and I want you to search for the event also because if that
is a CMI write on a API call, we will get what are the details on the API call.

05:05

I want to search it in Google like what do we get for that API account.

05:39

No, no, noCreate the event name as a API code.

05:49

Oh, sorry.

05:55

I may have to join the call.

05:57

Yeah, I'll search with you.

06:06

So that means you do want to hear about the API?

Oh, yeah, we saw that.

00:14

Was it on September 16th?

00:16

Yes, yesOK, so there is one case.

00:30

Yeah, so in this customer is trying to attach a route, like he's trying to announce the route table
with the peering attachment for the cloud.

00:44

So basically this is the traveling unit in US West 2 and this is the peering attachment with the
core network.

00:53

PGW attached R64 for this the customer is trying to announce the route tables.

01:00

Uh Now this particular transit gateway almost has around 171 route tables, right?

01:08

And what I found like the maximum number on this peering attachment, this one for this, which
is currently, yeah.

01:20

So this is the peering ID.

01:23

For the transit gateway attached to this phone network, right.

01:30
So the current limit which I can see.

01:34

So this is the limit right which which we have to see like how many route tables can we.

01:40

So go to the Cortana document.

01:42

This is double key, right?

01:43

Yeah.

01:45

So go to go to Cortana documents here like the cloud.

01:52

I have not reviewed it myself.

01:55

There is no use.

02:23

So what they do is, they will create a peering with the transit key.

02:30

Then using the peering, they will create the route table attachments.

02:35

But like in the cloud customer share, right?

02:38

So Indian, uh, yeah, the arrow is here to cloud the client's route table and not.

02:49

For this clearing attachment, this is the attachment I did not clearing with another.

02:58
I also want to see that in the public also that there is women.

03:07

It is a default limit currently set to 20 for clearing attachment with this one.

03:20

announcement.

03:22

Basically this is going to be for now.

03:37

What is that is what I'm seeing.

03:40

Maximum number of transit gateway optical announcement.

03:43

Basically optical announcement means it may create that attachment, the transit gatewayThat is
what it should be meaning routable adoption for creating a routing segment.

03:56

It goes here in attachments.

04:01

I have no idea what is limit like.

04:03

Go back to the customer that are.

04:06

If you search with that keyword, do you get something like?

04:10

It is just showing like round table announcement limit exceeded.

04:15

Yeah, that is transit table round table announcement limit exceeded.

04:25

Google it.

04:25

What does that show?

04:30

Oh, check the event name.

04:35

Can you copy that?

04:37

Yeah, search for the error message also and I want you to search for the event also because if that
is a CMI write on a API call, we will get what are the details on the API call.

05:05

I want to search it in Google like what do we get for that API account.

05:39

No, no, noCreate the event name as a API code.

05:49

Oh, sorry.

05:55

I may have to join the call.

05:57

Yeah, I'll search with you.

06:06

So that means you do want to hear about the API?

Because you are looking for the outbound traffic from the AMSBTC's [Link] AMSBTC's don't
have this [Link] are the 10 or the 10 [Link] that's why we do [Link], thanks for
joining [Link], multiple accounts and non [Link] the data we have in the image [Link],
there is no firewall [Link] our requirement is forward the Internet traffic from all the
accounts and towards our island [Link] we have the TW hearing [Link], it's already
[Link] the question is basically like we have the non prod and prod [Link], so what is
the challenge here?We want to drive for power the traffic non prod account towards the non prod
firewall and prod account towards the prod [Link] we have said that we as we have the
one so we cannot create the [Link] we just want to check whether this is possible or not to
forward with the [Link], so yeah, yeah, got it, got a [Link] basically, yeah, it is
[Link] like as yesterday me and actually just like we were discussing on [Link] basically
when traffic will arrive on [Link] let's say source account transient data, right?Then it will go
over the peering [Link] peering connection will land on something on this transient
[Link] basically what will happen when the traffic will land on this transit data, which is
your new transit data, correct?So that transit gateway will have a clearing attachment also right
the clearing attachment and it will also associate with the transit in the route table right now we
have we we have that things in place [Link] the others other things are we have a prod and
non prod [Link] this both consume like have one firewall for non production traffic and one
firewall for production traffic [Link] these two [Link]'ll be also having different
attachments, [Link] based on, yeah, based on the attachments, we can segregate the traffic,
but that will require some manual [Link] like what we can do on the peering route table of
this new transit, right, we can, we can segregate the nonproduction VPC ciders and production
VPC ciders, [Link]'s say our nonproduction VPC sign is 101010 zero slash 24, correct?So
we can manually add a standing route for 1010 zero slash 24 towards the nonproduction fiber
VPC attachment and same for [Link] yeah, hello we we don't require basically for the
[Link] I guess we require we we want to power the Internet classic towards the firewall and
so for other one we we have some some some routing for the prod and non [Link] our actually
problem is to power the classic for the Internet towards the [Link] but in that if you want
to power traffic for Internet for both non prod and prod would be same firewall [Link] you want
to have [Link] in that case that will require if if we are talking about to segregate the traffic
for non fraud and fraud, that thing will be required because we have to manually point it out
towards the respective [Link], sorry, what is it that I So basically let's assume on the.I'll
just share my screen here and just simply point out one what what Yash is saying that in this
route [Link] this is a failing attachment route [Link] you need to add entry for that let's say
broadsider and then [Link] that you get the attachment ID will be the prod NPC
attachment ID is what he's saying because OK yeah but we require the Internet [Link] don't
require this one prod and non prod NPC Internet [Link] Internet we have to find the we have
to perform the routing for the default load right 0.0.0/0 Yeah when this is [Link] the meeting
for 30 minutes only and it's over, but we can continue this call to resolve as much as we
[Link], we don't have an [Link] VPCs fraud, non [Link]..008 for an [Link], so
[Link] there any kind of whiteboard we can use in this Bing score?Because I am unable to
share my [Link] like there is one alternate solution using the same method, but in this case we
have to add 1 transient into a more here and one pairing attachment [Link] one more content
we need to [Link], if somebody can share the whiteboard, so it will be [Link] we were
already sharing that architecture, so maybe we can we can explain on [Link] this is the OK, yeah,
OK, so got [Link] see what the current setup is not allowing us to segregate the Internet traffic for
onboard because we only have one route table right for the peering attachment for new [Link]
we can if we add two default routes towards two VPC [Link] it will kind of do like
[Link] that is not required here because it wants helping segregate the traffic [Link] what we
can do, we can deploy the new or a new transit gateway in this account, in the Sydney account
where you have your firewall PC right?So here we will deploy one new transit gateway and with
this new transit gateway we will create another peering attachment with your old transit
[Link] there will be two peering [Link], so one current, one current is [Link]
will create another peering attachment with the new transit [Link], now with the new
transit gateway, let's assume we attach [Link] prod or non prod VPC which has the
production firewall and non production [Link] now what do we have?We have two different
transit gateways on prod and non prod [Link] now on the older transit gateway which now
now on the online transit gateway we also have two gearing attachment correct for transit
gateway for the production firewall and transit for the non production [Link] basically using
this what you can make change in the production and non production VPC route [Link] the
production VPC route tables we will point your default Internet traffic to the peering attachment
of this production VPC firewall and in non production VPCS we will point your default Internet
traffic towards the peering attachment of this non production VPC [Link] [Link] have
the advantage of here like we have we we now want two PLA connections [Link] we will be
having two peering routables [Link] both the transit gateways are separate for the prod
firewall VPC and non prod wire firewall [Link] we have the flexibility to segregate the
traffic [Link] once traffic arrive for production VPC on the first peering attachment it will look
up for [Link] attachment router is production firewall VPC attachment and in the second
case it will look up for the non production VPC firewall attachment peering attachment [Link]
in this way we can segregate the traffic and that will be the easiest way we can do because it will
require minimum [Link], you heard it [Link] possible, let me share a diagram on a
whiteboard, how it would look [Link] a [Link], I'll just pasted one [Link] anybody
can share the screen of the screenshot.I'll share, [Link], so that's [Link] basically this would
what we set up would look like the change which I talked [Link] basically in this we are
separating the peering attachment for production firewall and non production [Link],
currently we have only one peering attachment [Link] to that, we are not able to, we will not be
able to security with the Internet traffic for fraud and non-prod [Link] what we can do here?So
as of this setup, we will set up one more transit gateway which will be attached to our non-
production fiber [Link] basically we will separate both the production and net production fiber
with their own transit [Link], [Link]'s assume we just perform this this change right?We
just have to do both the production and nonproduction parallel VPC with their own transit
gateway and both of this transit gateway has their dedicated peering attachment with your whole
transit gateway which you have your production VPC and not [Link] now as per this
change on the production VPC transit table what we can do we can point this default route
[Link] attachment for this production [Link] and same on the non pro VPC we can
point the default Internet route towards this non production firewall VPC [Link] what
will happen?Your traffic segregation will happen here on the at the first day your traffic will be
segregated OK at here this [Link] right on the because we [Link] it on the VPC level
[Link] can just point that OK for production APC it should select this peering attachment and
for nonproduction APC it should select this [Link] if each production and nonproduction
transit people out table you will add the route accordingly and once the traffic arrives over here
then here on the peering attachment route table there will be a default route talking towards
production APC and on [Link] gateway, there will be a default route for [Link] mostly your
traffic segregation will be done in the first part [Link], this is the one proposed [Link]
is closer to what you want to [Link] yeah, technically we can't have two attachments, but
I think we will have two attachments just by having another TGW and then you can
[Link], we can segregate using another [Link] one question like I'm supposing this
is for example, this is AWS managed account that is Sydney, our [Link] [Link],
OKSo like like in this example, you created one more transit [Link] I'm just just asking
whether what if we create one more transit here instead of here?Yeah, that is also possible,
right?Yeah, [Link] is also [Link] is also [Link] I was like trying to something like
it is less configuration here is required [Link]'s see, you have a lot of configuration on this
AWS management account, right?And in this account there is not much configuration done
[Link] I was thought that like I thought like this would be a better option to go with the minimal
changes [Link] that is also [Link] can also you can you can also introduce
similar with one transit gateway here and two [Link] that is also [Link], so I will
not create [Link], no, it didn't just simply like it didn't mostly segregate both the [Link] it will
also go into simplicity in future if you want to manage both traffic subsequently of different
[Link], and we will be having a lot more visibility over the production and non production
[Link] what our bandwidth is consuming [Link], that is how typically we [Link] this
is the best solution that if you're looking for a monitoring purpose of utilization and [Link] it will
give you a clear [Link] one last question then, yeah, before we wrap up.I mean, is it
possible for you to know just perform in this solution in the test environment?Is it possible for
you to perform the test environment and let us know it's against there's a no issue because it's one
OK, it will not be like it is the yeah [Link] is a simple like we have performed this kind of
changes in the in customers and all that [Link] this is like not a very big change that we are
[Link] are just attaching 1 peering attachment and routing the traffic to another attachment
that's [Link] in this we will be just only touching one let's say once zone let's say prod VPC
other item not [Link] I would say [Link] the current, the current attachment, keep it for the
[Link] create one new translator for the [Link], one non-prod [Link], so
that's [Link] only minimal change is [Link], that's [Link] if you are OK, I will also join the
[Link] issues during the change if you're performing [Link], OK, no [Link] if you had
already done it, then yeah, we will, we will first discuss internally and we'll raise a change
[Link], OKAnd see how far we can go because when you take approval as well before the
change for the testing purpose like for the kind of thing we can also do like just for the test we
can ignore a test in VPC and see how it rout the traffic before going for the complete [Link]
that will also give you the clarity, [Link] the like where we can create a new [Link] can just
create it into an older account the AWS manager account just attach attach it to the either the
production VPC appearing attachment or non prod VPC [Link] see the how the traffic
[Link] it is going it is coming back like bidirectional traffic is flowing currently then we can do
it for the whole production and non production VPC and mostly it will [Link] [Link] let us
discuss with Shaadi because Shaadi is not available [Link] we will discuss with Shaadi on this
and let's see what can we do [Link] also if you are going to create in your TGWI would
suggest you would create in your new landing zone rather than EMS just because you can you
get to keep it in the future if if if there are any changes made from EMS [Link] I will share what
we discussed in today's [Link] you can take it up with Shaadi and so can you like [Link]
have to do the risk assessment process and once that is done, then you can make the necessary
outcome [Link], could you also let your client send us like what you're assuring?Sure,
I'll show and then we can take it [Link] there's one question and actually [Link] as Uyesh
has suggested to create a one Trace 53 here and transit gateway [Link] for that as well, do you
require me, do you require to take the list assessment approval or it is required later on you are
making routable [Link] are we moving, are we going to still make those changes like where
we are changing the default route 0.0.0 slash 0?If we are doing that, then yes, risk assessment is
required for test as [Link], because you're you're changing the default route, [Link] OK,
yeah, so this later discuss with Shadi and we can [Link] are necessary approvals, including a
risk [Link], [Link] I'll share what we had discussed maybe by end of the day
and then you can take it [Link] can now catch up back next week, Monday or anytime
you're [Link] you have, you know, go ahead for [Link], [Link] [Link] a nice
[Link].

OK, so I'm just going through the clips just a [Link], so basically this connection is a hosted
connection from the problem partner which is your so we don'[Link] have an activity with
[Link], these are two different connections, right?One is with the ACMP and one is with
the [Link] for us, we are simply connected to AWS [Link] are not managing those
[Link], I can see both the connections are basically a part of which in the parent
[Link] the IT is a part of the Equinix [Link] basically the manage the parent
connection is managed by the [Link] at that time the parent connection went down and due
to which your connection was a part of that [Link] that is why the connection went down for you
also because the whole leg was down.I went down for around 37 [Link] yeah, I
[Link] why did it went down?So basically this needs to be checked from the equinix
side because they are a separate partner for eight [Link] we do not directly, you know,
communicate with them on this because this is a [Link] this is a part of [Link], please do
you guys not have any?Yeah, visibly it is appearing, but we do not have the visibility on how
they are managing the the legs on their [Link] it's look, therefore they must [Link], if they
are but that is a separate but we cannot directly ask minutes while going down because as it's a
posted [Link] like customer will reach out to the they feel like the posted connection
which is a part of the leg went down because this was not to do the any kind of maintenance
from the that's what I'm saying we don't we don't do anything [Link], I understand AWS is a
point of contact, but it is not a dedicated connection, right?Now look at me, how how will I reach
out to if I don't have any connection?[Link], that whole team like we have in the and and I
believe you know as we talk to like that whole team to check like this motion like like in the
every case when there is a into the [Link] we are not like [Link] must be more
connections to went [Link], because the whole lag went [Link], because let's say there
are 70 connections in that [Link] if the lag goes down, it is not a customer related issue, but it is
also not [Link] is related to the [Link] me check on [Link], that's what I'm telling
[Link] must be having [Link] is not AWS managed parent DX connection,
right?[Link] I think basically like what I said earlier, this is a parent connection right, which is
not managed by AWS, which has been managed by the partner of [Link] I don't think we have
the like visibility or we can communicate with the partner [Link] if there is anyone like which
knows about the winning support or networking because and this was a personal connection
[Link] creating this connection, they must have, you know, get in contact with the [Link] is
there anything like that or otherwise I need some time to check if there is any alternate context or
something that we can provide it to you for [Link] the does not cover like this is not the
lag which is managed by AWS, this is managed by the [Link] like if there is no such process
then we can reach out directly to the partner just to take out like where this lag, why this lag went
[Link] this is not in like you know AWS kind of [Link] come into the picture so but
I'll try to get alternate the or something is [Link] this kind of issues there are some on the DC
side which get performed without any notification or [Link] this was a or
something you probably have got an notification or [Link], we have the dashboard,
[Link] we can see all [Link], no, because of this is the like we don't have that visibility like
what was the maintenance, what was the issue was that if there was a dedicated PX, then we
would have the full visibility like we [Link] was kind of something [Link]'s why they
[Link] it be possible for you to explain how your router is connected to that?Is it not
connected to Equinix?It is connected to the [Link] there must be a circuit ID, right?Or you
are just taking the connection and you are [Link], like there is no but mostly in this case, in this
case of.I mean it's not like this [Link], like it will be the like the like on the on profile
and between and the third [Link] can one customer manage that?So basically this lag is itself
in the managed [Link] like basically Phoenix is like working at an MMR between customer and
[Link] even it's this is basically sitting in between the customer and the AWS [Link]
that is kind of a setup it [Link] let me [Link] allow me sometime.I need to check on this
basically allow me some time.I'll just try [Link] you want to call back later?I'll just provide it on
the [Link] it is fine with all, else you need a call.I can give your call back as [Link], let me
check if there is any possibility.

I'll give you, I'll give you a few minutes.I'll be back in 5 [Link] both these accounts are in
different region or in the same like source or region is different or destination region is different
or both are [Link], no region is all same, region is all [Link] what can be done?We can
just use one single transient gateway and share it with another [Link] in that peering will be
not [Link], that's what I initially [Link] that would be then tough to manage because
you would have to then single language from those [Link] let me think about this, just around
this.I'm taking a break for 5 minutes, so let's get to [Link] [Link] VPCK is [Link] are
looking to the next some of the the attachment which is 7, which is [Link]'s spinning, it's been a
64D0K attachment [Link] I need a different effort or [Link], the first one is
this [Link], this [Link] GPCs have to each [Link] the goal of the goal that
customers have is to route all the traffic from this source transit estimation to all the internet
[Link], we have something called [Link] basically right now all the traffic on all the
OPCs goes out from this DPRES [Link] right now what we need to do is instead of all
95 traffic going from this OPC, we want it to go from transit gateway towards that transit
[Link] why is that so?Because in the destination there are twosort of firewalls and like
one for flawed and one for not [Link] customer wants to get the traffic, get the outbound
traffic filtered through those [Link] broad traffic through the fraud one, not working, to the
not [Link] this is the destination that I'm talking [Link] is the destination customer
[Link]'s a transit gateway which is already [Link] you knowSo, [Link]
there are two [Link] non-prod, there is a strong prod appliance for firewall, and prod is [Link]
what we need to do is to take first of all, have all the control directly from source to this this
[Link] then from here,Do the prod passive to prod and not prod passive to the non-
[Link] is the meaning of the [Link], so basically like there are two like first is your
main networking account and another is your...Another is also networking account but for the
other network [Link], and what is the source we can see here?Source [Link] this is the
source VPC because here we have the traffic [Link] has like multiple VPC attachments uh
which means like traffic going down towards that traffic [Link] this is the VPC
attachment, this [Link] if you check the route tables here, so let's say we have this fraud
routing for the for the fraud [Link], let's consider this one which is [Link] So this is the
like fraud [Link] are the routes for the [Link], broad [Link] I want
to understand is how, like, what changes .So it was both sides from the .So, like, I thought the,
basically there should be an exit point for this broad and not broad, but do we have some kind of
like architecture like how it looks like?or from where to where we need to .So from this it is you
know tough to understand what is the requirement [Link] is like no set, but I can I
can explain [Link] you can ask me question and let me know what I .Maybe you could draw it
or something likegoing for the traffic screen because this account okay from the case which you
opened does this account has the transit key?No the case that I've opened is the case through
which we log case we do so I'll share all the [Link] for all the round [Link] for all the
round [Link] me first check [Link] which region this transit gateway is in source account
US1?two peering attachments with this transit gateway and multiple VPCs are [Link] for all
the VPC, do we need to make this change?Yeah, so basically for the prod and the non-prod
[Link] what are prod in one prod, but I think we can get from the routing, with prod in the
[Link] from my end I cannot like verify like what is the problem.I do not have
[Link], I have the [Link] know, I just want to just take one example and forget about the
[Link] let's let's consider the fraud [Link] this is like the this is the routing and share the
route [Link] if I were to just simply change, if I want these routes to be, so you can see the
default route is currently through the [Link], means default it is going to the [Link],
okay, got [Link] this is the egress [Link], yeah, got [Link] you want [Link] now what?You
want to send it via peering attachment, right?Yeah, so all outbound caffing goes to that other
landing zone, which [Link], I mean this is connected by the PRA [Link] cider will be
the same [Link] cider will be the same [Link] cider will remain the same,
right?[Link], let me just check [Link] this will automatically set the all out one transfer to
the peering [Link], okay, [Link] that one, right?But if once I'm here, so once we get
the traffic here,Then I guess my question is from here, like how customer will [Link] would
be the routing here?Where?In this, in the [Link] destination, let's say this is the non-fraud,
sorry this is the fraud routing, right?[Link] here is the main [Link] we need to
made in [Link] to the roundtable again for [Link] [Link] destination?Yeah,
[Link] get the [Link] click on the associate roundtable, right?See the
routes?Yeah, [Link] are some routes forJust click on the [Link], so here you can see
410 is your again egress VPC, right?The [Link], so here we'll replace this with the
peering [Link] the same peering [Link] are asking about the return traffic,
right?From destination to [Link], what I'm asking is, so I think what I'm asking is, we we
changed the route here, right?We changed the route [Link] from here, for these particular DPCs,
for these particular DPC attachments, the route will go towill come here, like all the traffic would
just like say from fraud line, fraud to [Link] if we come here and from now, from here,
um how does it segregate, like how does it know that it's coming from the fraud, fraud VTCs
which is actually these ones?depends on the...if you're not able to segregate like this is a prod,
this is just like we are giving the name it is a prod traffic and not [Link] to segregate it is like...I
think this is the actual question from [Link] So they want to know like what routing
changes to make to allow only the prod [Link] the traffic coming from these attachments to
these ones which is the [Link] do they have any firewall or something to inspect or it is
just traffic routing between source and destination?No, here is the [Link] is actually
here in this [Link] this is all [Link] is all beingI mean, plan to actually enable the next
[Link] is in this [Link] there are two fibers, prod and one [Link] they want the traffic to
be routed such that the prod traffic, you know, it only goes to the prod fibers and non-prod to
[Link] for that, I think we would need first of all the details of what are the prod VPC and
non-broad VPC becauseFrom the route table, we cannot just, you know, make the [Link],
I can tell [Link] all the VPCs that you see in these attachments, these are fraud [Link] one
on the source transit gateway?Yeah, this is source [Link], this is [Link] [Link] have
created like one table which is specific for the fraud [Link] are the fraud [Link], so
which means traffic will come from the broadway PC attachment to this peering attachment that
will then traffic needs to be forwarded to the firewall from when it arrives to the destination
transit gateway 17:32From that transit gateway traffic needs to be forwarded to the firewall,
correct?Yes, that's [Link], in the transit, in the source transit gateway, I'm seeing like there
are multiple, almost like how many VPGs are [Link] are two attachment and other are
VPC.1, 2, 3, 4, 5, 6, 5, [Link] me it is showing like a lot of more VPCs.I think there are multiple
VPCs.I'm talking about the source transit.I can see [Link], so all these 28 attachments are prod
VPC?No, some of them are prod, some of them are [Link] you ask me which one is prod.I was
taking just an example from the route table because we have already segregated prod and one
port page in this round [Link] this route table has uh routes for this round table has been...these
are the third [Link] round table has thisCan you share me the VPC IDs?Because I'm searching
this route table, but I'm unable to see this route table attached to [Link] It is [Link]
has no [Link] only has [Link] before we make any changes, I think we need to
understand like from destination where traffic needs to be [Link], no, we're not making
[Link] basically what I understand till now, there are two products, two-part of the VTC,
one is prod and non-prod [Link] for the prod VTC, you are currently routing traffic to the
Egress [Link] we have to replace that default route pointing towards Egress VPC towards the
peering attachment of the destination transit [Link] from that, in that destination
transit gateway account, there is a net scope or let's say a firewall which is [Link]
through that transit gateway, that traffic needs to be forwarded to the firewall [Link] firewall
ENI will be two, one for the prod and another one will be for the [Link] accordingly, I
think step by step we have tosee which are the prod cider, which are the non prod cider and
accordingly we have to segregate the route people [Link] I'll just, yeah I know because there are
many so I'm just taking one for [Link] [Link] like this one for [Link] this is like
the, this is one of the prod [Link] me see this VPC write [Link], let me just go with this
VPC route where it is forwarding so we can just make a blueprint out of [Link] how the routing
is currently forwarding and what changes would we [Link], so this one is a prod [Link] has
subnets in VUS 20 [Link], this VPC CIDR [Link] Transit gateway subnets are 902
and [Link], so for this VPC,uh I can, so there are two subnets associated with Transit
Gateway with this VPC, right?I'll just sharethem in the [Link] I share it in the time chat so it
will be easy for you just to toggle this?Yeah, yeahShare it in the time [Link], one is .another
subnet which is a Froshid transit [Link] these two other subnets which are currently associated
with this production VPC with transit [Link] let's see what these two subnets has the
[Link] basically these two subnets has one local route and there is one default route towards
[Link] this is one default route which is pointing towardsa LAND [Link]'s see now what
this LAND gateway points [Link] this LAND gateway has been submitted in [Link]
this NAT gateway is pointing this route towards this [Link] gateway is in the subnet and
this subnet has two [Link], one is 10/8 and another is default route towards the internet
[Link] if the trafficwas for the internet, then it will follow the second [Link] this is internet
routed, then this will follow 10/[Link] let's see the transit gateway routtable for this VPC
for 10/[Link] So for this VPC,In the Transit Gateway Route table, there is no default [Link]
are the specific VPCs [Link] are the specific VPCs [Link], this is...These routes are available
under Transit Gateway Route [Link] you can see, for [Link], 2 volt VPC, 2 volt [Link], so
why it does not have 00 because this VPE has a direct internet access via internet [Link]
the associated route table with this VPC is this [Link] me share the associated route table so you
can get an [Link] is the associated route table IP with this [Link] So basically for this
production, VPC has its own internet gateway and it is routing the internet traffic through its
internet gateway [Link] is not forwarding traffic to any other VPC for [Link] is just
forwarding to the [Link], this one is the internet out of it, right?[Link] basically this,
what I understood now, all the production VPC has their own internet [Link] you give me
another production VPC so we can compare with this?[Link] if if that is the same, then the
case would be like all the production VPCs has their own internet [Link]'s takeThis is also a
production EPC, right?Let's open [Link] for this VPC, there are two subnets associated and these
two subnets are the default route towards transit gateway [Link] VPC do not has its own
internet [Link] these are the subnets associated with transit gateway and this is the route in
the subnet route [Link]'s see where this transit gateway [Link] it should send this traffic
to the Egress [Link] this VPC do not has its own Transit [Link] Sorry, Internet
[Link], so for this VPC's Transit Gateway Route table, there is a default [Link]
towards this VPC, which is our Egress VPC [Link] this VPC has the internet gateway,
correct?Okay, [Link] from here we have two scenarios and I believe there are really these two
[Link] there are two types of [Link] is AMS, for AMS they get through
Egress VPC and for others they just manage it through [Link] if you take just each of these
scenarios and how would this traffic, I mean, what changes?yeah so basically now the
destination account is this one 22909 and this destination account has this Transit Gateway ID
[Link] is your destination Transit Gateway in which your net scope will be
[Link] let's [Link] for 8x5 in thisThe so for the VPC internet, [Link] [Link]
what changes for this VPC, in the subnet router, we will find the source value, which will be
[Link] the round table we will make a [Link] will be the link, as I just said in the
last...This route we have which will be default to peering [Link] you zoom towards
theThis [Link], [Link], let's...Do you have...

OK, let me [Link], DX connection [Link], connection state [Link], so it was down for
around 36 minutes, I think, [Link], now I think I...Yeah, currently it is showing [Link] let me
check why it was [Link] [Link] is for [Link], so during the 36 minutes
there was no receive [Link] are not receiving any RX signal from the on Prem router or the
[Link] receiving signal has gone to 0 during this 36 [Link], the RX went to 0
[Link]'s why the connection went down for around 36 [Link], [Link] optical
signals which we used to have across both the peers, right, the transmission optical signal and the
receiving optical [Link] basically, yeah, [Link], right, right, rightSo basically like
[Link] to have the RX signal from the on Prem on premise side, [Link] during this period the
RX signal went to [Link] basically there was no RX we were receiving from the on Prem
[Link], no, noThe RX is basically like the connection terminated your any on Prem router or
on Prem other devices.I'll do one thing.I'll share this metrics with you on the [Link] you can just
check with the on-prem team or if they have any interface details, if the interface optical signals
were put at this [Link] basically the time frame when this connection went down, let me also
check the time frame that is [Link], 346 [Link] from 346 UTC to 424 UTC, the RX
signal was [Link] what about the observation?Yeah, I'll put it on the [Link]
[Link], I'll do [Link], you just put your findings in the ticket on the [Link], sure.I'll
just drop you an e-mail with the with my findings and the [Link] I'll also check with
my [Link], [Link] this because I'm also we have router.I think it's managed by our data
[Link], OK, OKI I need to check on that [Link], got [Link], no issues.I'll just provide you the
summary so you can have a talk with [Link] if anything further near you can just update it on
the [Link] I'll just help you out with [Link] [Link] [Link] you very [Link]'s
say I search for the [Link] on the Google [Link], so it will generate a query in
the back end to provide a resolution for this [Link], so there will be a local [Link],
there there is a local resolver on each of the browser which will first which will first check for
[Link], local cache on the browser [Link] the local cache is available on the browser itself, it
will just provide you the resolution for the [Link], so this is basically all as a recursive query
where you are having your cache your resolution stored in a [Link] let's assume let's say we have
searched for the [Link] on the [Link] the back end it will run a query to provide
the resolution for this [Link], so basically there is a local DNS resolver on each of the
system on each of the [Link], so this DNS resolver will first check the local caching of the
browser if it has [Link] if it if it has the resolution for this query or [Link] cache means your
browser cache, your ISP cache.

OK, all this OK and if the cache is available and it provides the resolution then it is called as the
recursive [Link] it it is called as a recursive [Link], now let's assume the cache does not
have any resolution to the asked [Link] what it will do?Now the DNS resolver will send
this query to the root name [Link] DNS resolver will take this query to the root name server,
which means on the [Link] a specific question like Tell me what is the top-level domain
for this resolution, for thisDomain like we have search for the [Link], so DNS
resolver will take this query to the root name server and there are 13 root servers OK in [Link]
root zone architecture wise there are 13 root server in the root [Link] now root server will will
check for the referral top level domain server OK which which has the resolution for [Link]
domain OK [Link] [Link] root name root name server will give the referral of top
level domain server to the DNS resolver [Link] DNS resolver will go to that top-level domain
server again ok now root now the DNS resolver will ask the top-level domain server what is the
resolution for this domain ok means what is the resolution alternate what is the IP of this website
where is it hosted ok now authority now top-level domain server willGive the referral to the
authoritative name server which has the alternate IP or the resolution for this
[Link] authoritative top level domain server give referral to the DNS
[Link] DNS resolver again goes to the referred authoritative name [Link] now
authoritative name server is the entity which [Link] the [Link] contains all the
[Link] like phone book which contains all the phone [Link] authoritative name
server will check for the asked query which is [Link] will find for the associated IP
address and it will provide this IP address or the server IP address to the DNS [Link] DNS
resolver got [Link] DNS resolver will establish a TCP 3-way handshake with this server where
this [Link] is [Link] it is established the webpage will load for the
[Link] [Link] this was the iterative way where it went to the internet and then
cameMake them with [Link] give me one [Link] was the normal DNS workflow
which is used to resolve the query which we have [Link] this is the normal then what about the
difficult one?This is only the difficult one because I have explained you on the ahNo.I have
explained you on the upper part like how it [Link] let's assume ah we are again trying to
do a resolution for [Link] [Link] have typed in [Link] on the google
[Link] what will happen the client OS, client OS in which which laptop we have typed,
the laptop of that OS, the DNS resolver usually which is your [Link] the public Google DNS like
8.8.8 which our ISP [Link] ok If resolver checks its cache which means if the cache is there on
the ISP server or let's say on the [Link] the cache is there, it will immediately return user
[Link] it is not,If it is not cached then it will start the [Link] will start the
process?DNS [Link] resolver will start the [Link] process to get the ah
resolution for the [Link] what will happen now, this resolver will take this query to the
root DNS [Link] the root DNS server it will get a referral to the top level domain server
which serveswith .com [Link] there are multiple domains as you know .com, .in, .uk, .[Link]
there are two types of [Link] One are country domain and others are generic [Link]
country domains include like .in, .uk, .eu and generic domains include .com, .[Link] this kind of
[Link] basically root DNS server will check which type of domain it [Link] .com is a generic
[Link] now root DNS server will give a referral to the top level domain server which has the
information about generic [Link] it will give referral to the top level domain which has the
information about .com domain to the 3DNS [Link], in DNS, we will get that to
[Link], same with the top level domain server will give the referral to an
authoritative name [Link] name server is a server which keeps all the records like
A records.A records just for IPv4.A record is for [Link], so Authoritative Name Server keeps
A record and IPv6 record of this DNS, of this [Link] is A?Of this domains.A record is a
DNS record which is associated with the domain for its IPv4 [Link], so there in DNShow
a resolution gets is IP address, how a query [Link] basically with the domain, there are records
attached.IPv4 records, IPv6 [Link] there are 8-10 records uh in the in the [Link] 8-10
hours?I didn't remember all the calls right [Link] should check on Google and tell me,
right?This is not your [Link] should provide me the correct answers.I'm [Link] me
first cover [Link] the authoritative name server will be having A records and or IPv6 record for
this [Link] it?Hmm Now, subscription to the DNS resolver and DNS resolver will
get to that server and establish a three-way handshake and after that our webpage will show up
on the browser for [Link] you got it?The simple [Link] it will do
iterative query?Why it will do iterative query if it doesn't have any cache or information about
the AskDipQuery a [Link] it has a cache Then it won't do iterative [Link] it do not
have cache, it will go to the root [Link].....................................................So, this was a
normal flow of the uh [Link], now there are two types of query which we see in [Link] is
first query?Sonari, you are listening right?Recursive query and another one is?Root
[Link] Root [Link] dodiye?Iterative [Link], basically Recursive Query is used
to pull out the cache [Link] iterative query, if there is no cache, no information about
the ask resolution, then it will go to the generated query and...DNS regarding my job questions
pooja .Workflow workflow what is root name server, top level domain server, authoritative name
[Link] Name Server main gum ko [Link] are 13 Root Name Servers under Root
Zone which has the information about the Top Level Domain [Link] Level Domain Server
has the information about Generic Domains and Country [Link] specific to Top Level
Domains also has the information about Authoritative Name Server for each of the [Link]
Authoritative Name Server has the information about the associated IPv4 and IPv6 addresses or
other DNS record types for the asked [Link] [Link], it's a [Link]
is [Link] [Link] let me search DNS [Link] So common DNS records
[Link] maps a hostname to an IPv4 [Link] record which hosts to an IPv6
address of the [Link] name [Link] A record is basically to map ipv4 address to
the [Link] A record is to map ipv6 address to the hostSo, we have cname record, canonical
name [Link] is alias?Alias...........exact name copy.....like uh....cname record
alias...[Link] So,I am Lagirabot Canonical Name Records provide an alias of one
name to another Likudoi Tum bolo Maliklonge yaar ni rai ka maini tum bolo Maliklonge so so
canonical sorry CName record canonical name records creates an aliasof one name to
[Link] example [Link] to [Link] exchange [Link]
[Link] record specifically Mail servers.......Mail servers........We took the first domain we
took the we take example of [Link] domain so for [Link] we have the mail server
as [Link] like thisSo every e-mail for the domain [Link] will [Link] this mail
server which is [Link] it is just we are mentioning in our MX record that this is
the mail server for our [Link] it?Good idea, right?Samal Nani [Link] another is Name
Server [Link] Name Server record is basically a list of authoritative DNS server for the
[Link] [Link] saw like authoritative name server contains A records for A records for
the domain [Link] Name Server records has the list of authoritative DNS server which
DNS servers for the [Link]'s say for [Link], top level domain server provides us list
of 5 authoritative game [Link], [Link] you can go to any of this
file to have your answer, to have your query [Link] [Link] what I [Link]
another one is PTR [Link] record is a pointer [Link] basically pointer record is the
reverse DNS [Link] What currently we are doing when we are typing [Link]
on browser, we are doing forward DNS [Link] simply if we type directly the IP address then
what it will give us the [Link] happens in the forward query?We provide the domain and
in return we get the [Link] in the reverse record, what will happen?We provide the IP and we
will get the [Link]?So this is just a simple reverse record we can [Link]
[Link]?Got it?If these are enough records, nobody asks more than [Link] have these 4
records clear in mind A Record, Wadia Record, CNAME Record, MX Record, BTR Record and
Name Server [Link] are the records stored on a DNS Server, particularly DNS [Link]
Records [Link] are lot of many records, but these are not [Link] We are not going in
a very deep DNS architecture, because we are not going to work on DNS [Link] here,
what are the most important records are there, so these are the most [Link] are required
in every resolution.A Record, QUADA Record, Name Server Record, Canonical Name Record,
MX Record, PTR Record and one [Link] [Link], there is Service Record and I will
tell you.I will tell [Link], there is one Service Record and uh X Record and State of Authority
[Link] more records are [Link], basically what is Service Record?Those service records
specify host and port for the specific [Link]'s say [Link] runs on which port?1433,
correct?So let's say if any website is hosting its SQL service, assume Amazon is hosting its SQL
service to the [Link] Amazon will use which port?1433 for its SQL, correct?So,
Amazon needs to provide one, also needs to have one service record which will uh indicate that
which service or which port does this, sorry, which specifies the host and port which SQL
service will will [Link] means your domain name and port means your port [Link],
let's say Amazon hosts the SQL server, [Link] 1433 ok so this domain will
have this service record because it is serving on 1433 ok got it..................................What is DNS
Zone Transfer?DNS Security?DNS Security DNS Security DNS Zone Transfer We call DNS
Security DNS Zone Transfer OhWhat is the difference between Authoritative Name Server and
Non-Authoritative Name Server?So, Authoritative Name Server means the original
owner......................................................[Link], every job, when we do nslookup on laptop,
right?For any [Link] you performed any kind of nslookup?I [Link], when you perform
nslookup for any particular domain on your laptop, you will get two [Link] authoritative
answer or non-authoritative [Link], it will have non-auth, so basicallyWhat is the difference
between authoritative answer and non-authoritative answer?So the authoritative answer directly
comes from the authoritative DNS servers for that [Link] the server who is responsible
for hosting the zone [Link] me explain you with an [Link] we are doing a DNS
resolution for [Link] basically for this domain there would be an owner who will
be owning this [Link]'s say you own this domain and you have your own DNS server and
let's say assume [Link] is your own DNS server and on that DNS server you have
hosted this domain [Link], originally you are the owner of this [Link]
[Link], whenever we perform a query and we get the authoritative answer, we get the answer
authoritative which means this this answer, this resolution is is coming from the original owner
or the uh DNS server who owns this [Link] usually what happens to save the timeok our
ISP our ISP store this resolution in the cache in in global DNS like Google DNS 8.8.8 Cloudflare
DNS 1.1.1 okay so basically what happens now when you type in [Link] you will
immediately get the answer because it is cached in your ISP's uh cache correct so now you are
gettingNon-authoritative answer because you are not getting it from the original [Link] are
getting it from your ISP.I am not getting this resolution from Manisha.I am getting this
resolution from [Link] there is [Link] when I am getting this resolution from my ISP
cache, it will be called as Non-authoritative [Link] when the cache is not available, it will
do a iterative query which means now myresolution query will go to you, to the original owner
and then come back to [Link] that will be the authoritative [Link] it?Non-authoritative
means I am getting it from the cache which is not the original owner and authoritative means I
am getting the answer from the original owner who owns the domain and the DNS server.
25

Speaker 1
Okay, so team, I have done the basic checks and all. I haven't found any issue. I've got the BGP
logs
also, but I cannot see any issue in the logs that represent something because mostly it... There
is one
question, are you able to receive the route that AWS is currently advertising on this VPN? Yes.
Okay.
Then I think there might be some miss configuration on Checkpoint Because I can see the BGP
session is the BGP messages are getting exchanged and all.
Speaker 2
Yes, but how it's a miss configuration in Checkpoint if the BGP is working?
Speaker 1
No, there is two aspects.
Speaker 2
If it was a miss configuration in checkpoint, maybe the tunnel won't even go to established state.
Speaker 1
Basically, see, here we do not have that much visibility on Checkpoint, like how it is advertising
the
route, because AWS will totally depend on the peer device to receive the routes for on-prem. If
there
would be any issue on AWS, then you could not have received the AWS routes also on
Checkpoint. I
can see the BGP route table, but here there are only the internal BGP routes which are getting
learned.
Speaker 2
Can you see if there is any difference between the two peers? For example,.
Speaker 1
Both the VPNs are terminated on same checkpoint device or it's- No, it's different gateways.
Both
gateways are different. Okay. Let me check. Okay. Remote route ID. Remote route ID is 253.
Bgp
neighbor is 10.
Speaker 2
98. If you can see any difference in the configuration in the AWS side, between those sites, I
don't
know.
Speaker 1
Let me check. What is this router ID? I can see if the gateway- I can give you the BGP ASN
number if
you want. Yeah, you can give it for both the VPNs. I just want to confirm. This router ID, I can
see it is
configured same for both the VPN.
Speaker 2
The configuration should be the same. They're exactly the same. It's just two separate sites.
Speaker 1
I still didn't get how come the router should be same. If both the sites are different and the
customer
gateway are also different.
Speaker 2
Yeah, the hardware is different. The cluster, the checkpoints, getways are different. The ASN
numbers
are different. This is the only difference. And the IP addresses, of course. I wrote in the chat the
ASN
numbers of Jerusalem and Eritrea.
Speaker 1
Okay.
Speaker 2
Maybe you can do a traffic capture and I'll try to advertise a new route to AWS. I don't know if
you can
see.
Speaker 1
I cannot see the live capture, but I would be able to see if you are advertising, if we are after
some
time, after the BGP update, if the routes are visible or not. That thing we can I just have a doubt
regarding this route. Because two remote device can't have the same route connecting. I don't
know if
that is good. Is it three, four minutes, autonomous system. I'm trying to advertise any single
route
from this Jerusalem VPN.
Speaker 2
You want me to advertise new route?
Speaker 1
Yeah, if you can, or if you are advertising, just remove this route 3. 0 and 5. 0 and re-advertise
them
again.
Speaker 2
Okay. On second.
Speaker 1
. But when I'm looking at remote route or ID, it's the same.
Speaker 2
..
Speaker 1
But. I'm saying that if your both VPNs are at different checkpoints, then your router ID is same.
It's
different... No, it's different. It's different. It's different? It's different. It's 2 or it's 3.
Speaker 1
Okay. I deleted the routes and advertised them again. Okay. Let's see. Okay. No, not too. It's
okay. No,
not too. It's okay. No, not too. It's okay. No, not too. It's okay. No, not too. It's not going to be
fine.
Okay. You don't accept it. Perfect.. Can we do for the fire this context?
Speaker 1
Okay. I'm going to take a deep deep deep deep deep deep deep deep deep deep deep deep
deep
Okay, I'm still unable to receive the route. Then, EGP event.
Speaker 2
Maybe there's a route map setting that's on your router.
Speaker 1
The route map settings are basically dynamically adjusted. There are now manual configuration
in
that. When As you automatically advertise the route, the readers will send the route map as for
the
advertisement. Let me check. Okay, just a second. I'm seeing some logs.
Speaker 2
I can also restart the BGP if you want.
Speaker 1
Okay, just a second. I can see some logs. Okay. You are advertising 1. 3 in 1. 5, right? Okay.
Speaker 2
What?
Sure, you can reach out any time on the case if there is any further assistance. If you have any
new info, we will update the case. Sure, sure.
Thank you very much again for your help. Thank you very much. Thank you, thank you very
much guys.
Okay, bye bye. Have a good day. Bye, you too
So, I need some help to renew the SAML in Identity Provider for AWS Ethereum Client. Let me
share my screen and explain a little bit. Can you see my screen now? Yes, it is.
Okay, cool. So, we have several SAML accounts, and we have a VPN, only one VPN. It's using
the
SAML provider, CMT VPN Client Azure.
So, we are using this CMT VPN Client Azure. So, today, what I tried is to add the new XML file
for
the search. I've done that.
The issue is in Azure site, it's active and disable the date. So, even though we didn't enable the
search, it still can work. However, when they disable the old one and activate the new one, I will
get some error message.
Sorry, I didn't take an error message. It will fail. Let me check.
I didn't have the screenshot taken. So, once I connected using the new search, it failed. So, I'm
not sure why it's an issue.
And I tried different things, it didn't work out. So, I need your help on this. Okay, so, let me
check.
Just a second. So, your VPN is in AP service. Okay, Asia-specific.
Yes, Asia-specific too. Okay. Authentication options.
So, is there any specific error message that you captured? I think I have it captured somewhere.
Let me find it. So, you are unable to connect the VPN after replacing the new IDP, right?
Replacing with the new IDP.
Yes, right. Okay. Yeah.
I couldn't, I think it will say the credential failed something. Let me check my history. I couldn't
find the error message again.
It's just saying some credential failed. Yeah. So, it is kind of throwing an authentication error?
Yeah.
Okay. Great, great. Okay, I see.
Wow. So, after updating the SAML, we don't need to restart anything with the VPN, right? Oh,
no, that is not required. Let me check again.
Allow me a few minutes. I'll just check and let you know what can be the issue or where we can
troubleshoot further. So, you haven't re-imported the older XML data, right? You just replaced
the older XML data with new, correct? Yes.
Okay. I just replaced it with another data. Okay, I got it.
And any endpoint related configuration, have you made changes like rotating the endpoint or
something? I noticed the issue URL and SSO service locations are the same. The sign-in URL
and
the metadata URL changed a little bit. Okay, the sign-in URL and the metadata URL.
I can show you my screen now. Okay, there is one thing we need to do here. It goes to change
a
little bit.
The middle part changed, but the issue and SSO service location are the same. Okay, okay.
Okay, just a second.
So, this one is the client VPN, right? Let me check just to confirm. This one is the C VPN. Which
one? Oh, sorry.
Yeah, that's the one. Okay, that's the one. I think we have to re-associate the VPC in which your
endpoint is deployed.
How could we do that? Yeah, just let me check. Before that, I think we have to make notes of
the target network routes and authentication which we have currently. Let me check the
process.
Let me download all the details for you, the routes and all. Download as CSV. [Link] and
target.
These are the subnets. These are authentication rules. Okay, we are good to go.
I have downloaded all your details regarding the routes and all. Let me just verify. [Link].
Okay, we can go ahead.
Can you share your screen? Yeah, sure. So, we will just simply re-associate the subnet and
again
re-associate them. Okay.
Yeah. These are the subnets. Can you see the screen? Yeah.
Okay, so you can select the first subnet. Okay, re-associate this. Click on this.
Yeah. I can click on it. Yeah.
Yeah, re-associate. Yeah, you can select that also. It will take around 10 to 15 minutes.
Yeah. So, it was working earlier, right? Before replacing the metadata. Yeah, it's really working.
Actually, when we activate the old certificate back, it's still working. Okay. Yeah, so now it's
working.
I need to ask my colleague to enable the new certificate and test again. Okay, got it. Yeah.
So, currently on AWS client VPN endpoint, you have the old metadata or the new one? New
one.
Okay, got it. Yeah, so I just want to validate another thing.
Even though here I have replaced the metadata, it's still working. Does that mean that at the
backend in AWS, it's storing all my metadata and the check? Possibly, it will be storing the
metadata. Yeah, that's why it is working with when your colleague is using the old profile, then
they're able to connect.
Yeah, got it. I'll mute myself. I'm sure.
Yeah, I'm sure. No worries. Yeah.
Yeah. Can I mute myself? Okay. Now we can re-associate the target network.
Yeah, it has been done. So, after this step has been done, we should have another test on it,
right? Yeah, right. By downloading the open VPN config file, you can test it.
Okay. Otherwise, we'll have to look from the client logs, basically. So, from the logs, we can find
out what is happening.
So, is there any change from the IDP side when you receive this new XML data? Earlier, have
you found any change as compared to the older XML data? No, everything was deployed via
this confirmation. And I can see things are matching up. Okay.
Yeah, nothing from my end. Okay. Let's see.
I guess we lost some route table. Yeah, I have taken the screenshots and downloaded the CSV
file for you, for the routes and authorisation tools and all. Yeah.
Thank you. Even this would work. I'm afraid of that.
I couldn't do the similar thing in production. Yeah, right. Yeah, as you can see here, there is a
target networking association connected to this confirmation.
I'm wondering, next time when we deploy via the CICD, it will give us some issues. Okay. Yeah.
Okay. So, I have checked for the XML data which you asked, like, does AWS store the XML
data?
So, basically, like, once we replace the XML data with the new one, at that time, normally, the
client VPN endpoints need to be, you know, reassociated with the subnets. Otherwise, the client
VPN will work on the older XML data only.
So, I think that could be one of the issues because once you are also trying to connect with the
new profile, AWS is still authenticating the user with older profile or older XML data. So, that
might also be an issue. So, this association is the only way? Yeah.
So, what it will do, it will just flush the old XML data which is associated with the client VPN
endpoints. Yeah, okay. Could you please share that documentation with me? Yeah, let me
check
if there is any document available.
This file is longer than 30 minutes.
Go Unlimited at [Link] to transcribe files up to 10 hours long.
So, I need some help to renew the SAML in Identity Provider for AWS Ethereum Client. Let me
share my screen and explain a little bit. Can you see my screen now? Yes, it is.
Okay, cool. So, we have several SAML accounts, and we have a VPN, only one VPN. It's using
the
SAML provider, CMT VPN Client Azure.
So, we are using this CMT VPN Client Azure. So, today, what I tried is to add the new XML file
for
the search. I've done that.
The issue is in Azure site, it's active and disable the date. So, even though we didn't enable the
search, it still can work. However, when they disable the old one and activate the new one, I will
get some error message.
Sorry, I didn't take an error message. It will fail. Let me check.
I didn't have the screenshot taken. So, once I connected using the new search, it failed. So, I'm
not sure why it's an issue.
And I tried different things, it didn't work out. So, I need your help on this. Okay, so, let me
check.
Just a second. So, your VPN is in AP service. Okay, Asia-specific.
Yes, Asia-specific too. Okay. Authentication options.
So, is there any specific error message that you captured? I think I have it captured somewhere.
Let me find it. So, you are unable to connect the VPN after replacing the new IDP, right?
Replacing with the new IDP.
Yes, right. Okay. Yeah.
I couldn't, I think it will say the credential failed something. Let me check my history. I couldn't
find the error message again.
It's just saying some credential failed. Yeah. So, it is kind of throwing an authentication error?
Yeah.
Okay. Great, great. Okay, I see.
Wow. So, after updating the SAML, we don't need to restart anything with the VPN, right? Oh,
no, that is not required. Let me check again.
Allow me a few minutes. I'll just check and let you know what can be the issue or where we can
troubleshoot further. So, you haven't re-imported the older XML data, right? You just replaced
the older XML data with new, correct? Yes.
Okay. I just replaced it with another data. Okay, I got it.
And any endpoint related configuration, have you made changes like rotating the endpoint or
something? I noticed the issue URL and SSO service locations are the same. The sign-in URL
and
the metadata URL changed a little bit. Okay, the sign-in URL and the metadata URL.
I can show you my screen now. Okay, there is one thing we need to do here. It goes to change
a
little bit.
The middle part changed, but the issue and SSO service location are the same. Okay, okay.
Okay, just a second.
So, this one is the client VPN, right? Let me check just to confirm. This one is the C VPN. Which
one? Oh, sorry.
Yeah, that's the one. Okay, that's the one. I think we have to re-associate the VPC in which your
endpoint is deployed.
How could we do that? Yeah, just let me check. Before that, I think we have to make notes of
the target network routes and authentication which we have currently. Let me check the
process.
Let me download all the details for you, the routes and all. Download as CSV. [Link] and
target.
These are the subnets. These are authentication rules. Okay, we are good to go.
I have downloaded all your details regarding the routes and all. Let me just verify. [Link].
Okay, we can go ahead.
Can you share your screen? Yeah, sure. So, we will just simply re-associate the subnet and
again
re-associate them. Okay.
Yeah. These are the subnets. Can you see the screen? Yeah.
Okay, so you can select the first subnet. Okay, re-associate this. Click on this.
Yeah. I can click on it. Yeah.
Yeah, re-associate. Yeah, you can select that also. It will take around 10 to 15 minutes.
Yeah. So, it was working earlier, right? Before replacing the metadata. Yeah, it's really working.
Actually, when we activate the old certificate back, it's still working. Okay. Yeah, so now it's
working.
I need to ask my colleague to enable the new certificate and test again. Okay, got it. Yeah.
So, currently on AWS client VPN endpoint, you have the old metadata or the new one? New
one.
Okay, got it. Yeah, so I just want to validate another thing.
Even though here I have replaced the metadata, it's still working. Does that mean that at the
backend in AWS, it's storing all my metadata and the check? Possibly, it will be storing the
metadata. Yeah, that's why it is working with when your colleague is using the old profile, then
they're able to connect.
Yeah, got it. I'll mute myself. I'm sure.
Yeah, I'm sure. No worries. Yeah.
Yeah. Can I mute myself? Okay. Now we can re-associate the target network.
Yeah, it has been done. So, after this step has been done, we should have another test on it,
right? Yeah, right. By downloading the open VPN config file, you can test it.
Okay. Otherwise, we'll have to look from the client logs, basically. So, from the logs, we can find
out what is happening.
So, is there any change from the IDP side when you receive this new XML data? Earlier, have
you found any change as compared to the older XML data? No, everything was deployed via
this confirmation. And I can see things are matching up. Okay.
Yeah, nothing from my end. Okay. Let's see.
I guess we lost some route table. Yeah, I have taken the screenshots and downloaded the CSV
file for you, for the routes and authorisation tools and all. Yeah.
Thank you. Even this would work. I'm afraid of that.
I couldn't do the similar thing in production. Yeah, right. Yeah, as you can see here, there is a
target networking association connected to this confirmation.
I'm wondering, next time when we deploy via the CICD, it will give us some issues. Okay. Yeah.
Okay. So, I have checked for the XML data which you asked, like, does AWS store the XML
data?
So, basically, like, once we replace the XML data with the new one, at that time, normally, the
client VPN endpoints need to be, you know, reassociated with the subnets. Otherwise, the client
VPN will work on the older XML data only.
So, I think that could be one of the issues because once you are also trying to connect with the
new profile, AWS is still authenticating the user with older profile or older XML data. So, that
might also be an issue. So, this association is the only way? Yeah.
So, what it will do, it will just flush the old XML data which is associated with the client VPN
endpoints. Yeah, okay. Could you please share that documentation with me? Yeah, let me
check
if there is any document available.
This file is longer than 30 minutes.
Go Unlimited at [Link] to transcribe files up to 10 hours long.
So, basically the maximum that they are sending is 56.98, but as per the IPCET configuration it
should be 46.98 to 46. So, they are saying this is only we are getting that we are downloading
the configuration file. In the configuration file then what are we getting, see this is the IPCET
configuration file and they are saying like the time received from the VGP peer in the end.
So, when I get to the connector next hop is not anything wrong, it is the VGP peers and they will
have to do that, I mean they have to use like next hop cell because these are not the IPGP
peers, these are VGP peers. So, we need to like we need to have the VGP peers. So, we need
to
have the VGP peers.
So, we need to have the VGP peers. So, we need to have the VGP peers. So, we need to have
the
VGP peers.
So, we need to have the VGP peers. So, we need to have the VGP peers. So, we need to have
the
VGP peers.
So, we need to have the VGP peers. So, we need to have the VGP peers. So, we need to have
the
VGP peers.
So, we need to have the VGP peers. So, we need to have the VGP peers. So, we need to have
the
VGP peers.
So, we need to have the VGP peers. So, we need to have the VGP peers. So, we need to have
the
VGP peers.
So, we need to have the VGP peers. So, we need to have the VGP peers. So, we need to have
the
VGP peers.
So, we
[Link],140 --> [Link],560 [speaker_0]
Lucas Zestarsky.
[Link],800 --> [Link],600 [speaker_1]
Hi, Lucas. Uh, we have-
[Link],620 --> [Link],760 [speaker_0]
Zes-
[Link],770 --> [Link],420 [speaker_1]
... someone to visit with you, Lucas.
[Link],440 --> [Link],650 [speaker_2]
Hello.
[Link],700 --> [Link],660 [speaker_0]
Eskimada. Ah, yeah. Hello, Lucas. How are you doing?
[Link],740 --> [Link],779 [speaker_2]
Yeah, I'm fine. I'm fine. Thank you.
[Link],000 --> [Link],400 [speaker_0]
Good. Okay. So ... Yeah, Abhishek, so is anyone else joining or can we start?
[Link],420 --> [Link],860 [speaker_2]
No, only me. We can start.
[Link],850 --> [Link],540 [speaker_0]
Hey, ǀ (Chinese) ?
[Link],550 --> [Link],940 [speaker_1]
Uh, yes. Yes, ǀ (Chinese) . People will join us.
[Link],000 --> [Link],300 [speaker_0]
Okay.
[Link],310 --> [Link],560 [speaker_1]
So we can start then.
[Link],160 --> [Link],720 [speaker_0]
Okay, so ... Okay, let me open the case. Mm. Okay, so what-
[Link],780 --> [Link],790 [speaker_2]
Yes.
[Link],790 --> [Link],700 [speaker_0]
... is the issue? Like, um, basically, uh, when I go, gone through the case, so there is one
specific prefix, uh, which, uh, you are currently advertising over the, uh, new VIF, right? Which
Okay. Sure.
[Link],930 --> [Link],220 [speaker_2]
If you want.
[Link],260 --> [Link],780 [speaker_0]
Yeah.
[Link],420 --> [Link],100 [speaker_2]
Okay. And this, um ... Yeah. I have, uh, uh, six interfaces of this.
[Link],160 --> [Link],100 [speaker_0]
Okay.
[Link],000 --> [Link],760 [speaker_2]
And two of them are, I would say the old one. Uh, they are production. They, they are used now.
[Link],820 --> [Link],200 [speaker_0]
Okay.
[Link],220 --> [Link],620 [speaker_2]
They are, uh, they're hosted.
[Link],660 --> [Link],770 [speaker_0]
Uh-huh.
[Link],770 --> [Link],460 [speaker_2]
Uh, but the pro- they're a hosted versions of the connection.
[Link],540 --> [Link],780 [speaker_0]
Okay.
[Link],820 --> [Link],500 [speaker_2]
I- it works okay since, I don't know, one year or something like that. But there are ... But now
I'm planning immigration-
[Link],520 --> [Link],610 [speaker_0]
Uh-huh.
[Link],620 --> [Link],980 [speaker_2]
... to full redundancies, so I bought four direct connect.
[Link],040 --> [Link],160 [speaker_0]
Okay. Okay. Mm-hmm.
[Link],180 --> [Link],540 [speaker_2]
And, uh, I, uh, wanted to switch to the new connections, but step by step.
[Link],600 --> [Link],740 [speaker_0]
Okay.
[Link],760 --> [Link],460 [speaker_2]
So, uh ... And how it looked like, that I still using all the time the old connections, and I just, uh,
tried to use the new ones.
[Link],480 --> [Link],780 [speaker_0]
Mm-hmm. Okay.
[Link],790 --> [Link],980 [speaker_2]
And I h- and I hit the issue, uh, which I isolated in this way.
[Link],080 --> [Link],540 [speaker_0]
Uh-huh.
[Link],560 --> [Link],060 [speaker_2]
That, uh, I'm still, uh, uh ... we can focus only these, uh, two connections.
[Link],080 --> [Link],080 [speaker_0]
Mm-hmm. Okay.
[Link],180 --> [Link],940 [speaker_2]
And the problem is when, uh, when, uh, I start to advertise my prefix-
[Link],000 --> [Link],420 [speaker_0]
Okay.
[Link],160 --> [Link],080 [speaker_2]
... so the AWS goes using this link.
[Link],120 --> [Link],660 [speaker_0]
Okay.
[Link],700 --> [Link],280 [speaker_2]
So AWS, because it is specific, uh, it is 32-
[Link],290 --> [Link],340 [speaker_0]
Uh-huh.
[Link],350 --> [Link],220 [speaker_2]
... prefix. But, but, but for the return traffic-
[Link],360 --> [Link],860 [speaker_0]
Uh-huh.
[Link],870 --> [Link],560 [speaker_2]
... I'm using the old connection. Then I noticed the problem, that I'm sending the traffic to AWS.
[Link],600 --> [Link],900 [speaker_0]
Mm-hmm.
[Link],320 --> [Link],500 [speaker_2]
But, but AWS retries, sent me retries.
[Link],520 --> [Link],740 [speaker_0]
Uh-huh.
[Link],760 --> [Link],340 [speaker_2] So it looks like my response, uh, was not delivered
to AWS.
[Link],380 --> [Link],750 [speaker_0]
Yeah, yeah. Okay.
[Link],780 --> [Link],800 [speaker_2]
And, and I suspect the reason might be that by accident-
[Link],000 --> [Link],080 [speaker_0]
Mm-hmm.
[Link],090 --> [Link],580 [speaker_2]
... the, the old connection uses some logical device.
[Link],640 --> [Link],020 [speaker_0]
Okay.
[Link],900 --> [Link],840 [speaker_2]
And the new connection also uses the same logical device. And is it a problem in AWS but for
in,
for the same logical device-
[Link],160 --> [Link],250 [speaker_0]
Mm-hmm.
[Link],250 --> [Link],520 [speaker_2]
... I have, uh, two connections. And for some how AWS drops such, uh, traffic.
[Link],560 --> [Link],090 [speaker_0]
Yeah. So basically what is happening right now, um-
[Link],090 --> [Link],540 [speaker_2]
Uh, because it is not my de- desired config. I'm not planning to keep such config, but I just hit
the issue during the switching-
[Link],900 --> [Link],070 [speaker_0]
Mm-hmm.
[Link],120 --> [Link],400 [speaker_2]
... perhaps. Yeah.
[Link],410 --> [Link],900 [speaker_0]
Yeah. So mostly what is happening currently, like, uh, on the case, uh, uh, this prefix was given
to me, like s- specific prefix which you advertised on the new VIF. Uh, this one. Let me share it
in the chat. Mm. Yeah. So this, uh, prefix you are advertising over the new VIF, right? Uh, slash
32.
[Link],920 --> [Link],660 [speaker_2]
Okay.
[Link],720 --> [Link],980 [speaker_0]
It is-
[Link],040 --> [Link],220 [speaker_2] I'm checking, I'm checking.
[Link],260 --> [Link],300 [speaker_0]
Yeah.
[Link],100 --> [Link],290 [speaker_2]
Yes, yes. It is-
[Link],420 --> [Link],430 [speaker_0]
So-
[Link],560 --> [Link],960 [speaker_2]
... it's on the-
[Link],980 --> [Link],230 [speaker_0]
Yeah.
[Link],230 --> [Link],850 [speaker_2]
... same prefixes ǀ (Chinese) .
[Link],960 --> [Link],498 [speaker_0]
Okay. Okay. So what is happening, uh, on the old VIF, right, which you are expecting to get the
return traffic from AWS on the same VIF. So like, currently you have, uh, two hosted VIF which
are having the, uh, slash 24 prefixes in this way. I'm sharing the, what we are seeing on the
AWS side with, uh, which, uh, on which VIF we are receiving the, uh, prefix with the shortest AS
path and the longest pre- AS path. Okay. And, uh, so basically from this, uh, from the old VIF,
what I saw, current ... If you are, uh, uh, let's say initiating traffic from any of the old VIF, right,
and these old VIFs are advertising, uh, slash 24, um, prefix on the AWS side. But on the newer
side, on the newer VIF, what it is, uh, what is happening, you are advertising the most specific
prefix, or, uh, we can say the, uh, longest prefix match, right? Uh, so what is happening, when
you are trying to reach the end point, which is .125/32, or the old VIF, on AWS side, it is learning
the same, uh-... prefix with the shorter AS path and with the most specific longest, uh, match
prefix. So for return route, AWS is, uh, choosing the new VIF as the best path. So due to what is
happening, you are sending the traffic from old VIF, but the return traffic AWS is sending on the
newer VIF. So that is, uh, some kind of causing an asymmetric routing. So there-
[Link],527 --> [Link],597 [speaker_2]
Yeah.
[Link],597 --> [Link],008 [speaker_0]
... you're seeing the, yeah, connection might get lost or something, other strange thing
happening. So that is the-
[Link],027 --> [Link],037 [speaker_2]
Okay.
[Link],037 --> [Link],847 [speaker_0]
... current issue. And, uh, let me check if this is causing due to the... both the connections are s-
are on the same logical device. Uh, let me ch- uh, check on this. Allow me a few minutes.
[Link],907 --> [Link],727 [speaker_2]
Yeah. Yeah. Okay. But what, uh, what I wanted to mention that in general, the AWS
documentation says [Link],768 --> [Link],097 [speaker_0]
Mm-hmm.
[Link],097 --> [Link],428 [speaker_2]
... that they are ready for active/active setup.
[Link],438 --> [Link],438 [speaker_0]
Yeah.
[Link],488 --> [Link],327 [speaker_2]
It's meaning that I can have asymmetric, uh, routing.
[Link],147 --> [Link],188 [speaker_0]
Yeah. So, for-
[Link],227 --> [Link],688 [speaker_2]
Uh, so, so, I-
[Link],707 --> [Link],777 [speaker_0]
Yeah.
[Link],107 --> [Link],928 [speaker_2]
So I expect that, uh, when, uh, when I will not, uh, uh... I'm hearing myself when I'm talking. Uh,
can you, for a moment, turn off, I don't know, microphone? Because-
[Link],008 --> [Link],207 [speaker_0]
Okay.
[Link],217 --> [Link],347 [speaker_2]
... there is a mess here.
[Link],438 --> [Link],027 [speaker_0]
Yeah.
[Link],788 --> [Link],068 [speaker_2]
Oh, okay. Now it's so much better. It's much better. Okay. Uh, in general, AWS support
active/active, uh, connection. So in my opinion, I can, uh, uh, send the return traffic using any
links. Uh, but this pa- this particular, uh, thing does not work probably because I am connected
to the same logical device on the AWS. And perhaps this configuration does not work because,
uh, please look on my screen. Uh, uh, I expect that, uh, when I turn on my, uh, new links
(background noise) and I turn off the old one, I think that this configuration should work. That
AWS will send the traffic w- with this link, but I will send the traffic back using this, this, or this
link because, uh, it is normal active/active, uh, asymmetric pattern. I, uh... So, so in my opinion,
it should, uh, work. But, uh, perhaps the issue is, that it does not work now because
accidentally these two links, uh, are connected to the same logical device on AWS. Like,
perhaps this specific configuration does not work. Because normally, A-AWS says that you can
use the active/active asymmetric patterns. It allow us to balance, uh, using, uh, um, ECMP, or
something like that. Yeah.
[Link],408 --> [Link],208 [speaker_0]
Mm-hmm. So basically, ECMP will work in this case when you will advertise this prefix with the
same AS path, uh, prepend from both the VIF. So what it is currently, uh... So which old VIF, u-
on the which old VIF are you sending back the traffic? Uh, if you can just point it, point me out
there. Um...
[Link],647 --> [Link],568 [speaker_2]
Uh, so basically, it is not a problem that, uh, I am connected to the same logical device, but the
problem is that I am advertising the different, uh, mask lengths?
[Link],588 --> [Link],387 [speaker_0]
Mm-hmm.
[Link],407 --> [Link],728 [speaker_2]
Yes.
[Link],748 --> [Link],916 [speaker_0]
The different mask length will also not a problem. If you want to utilize, um, both the VIF as an
active/active setup, so in this case, what, um... if they are on the same logical device, let's say,
uh, VIF in this case. So in this case, uh, the pa- the AS path that we are prepending on the old
VIF which you are using to advertise this specific prefix and the newer VIF should be same. So
in that case, it can... uh, AWS can perform a load balancing. Because what is happening
currently, on both the VIF, AWS is learning via different AS path. Means, on the older VIF it is
the longer AS path, and on newer VIF it is shorter. So in here, AWS is not doing any, uh, equal
ga- equal cost multi-path load balancing. It is just routing-
[Link],928 --> [Link],168 [speaker_2]
Okay.
[Link],178 --> [Link],468 [speaker_0]
... the traffic to the-
[Link],478 --> [Link],478 [speaker_2]
Okay.
[Link],478 --> [Link],228 [speaker_0]
... newer VIF. Yeah.
[Link],288 --> [Link],498 [speaker_2]
Okay. So sorry. Uh, AWS also supports active/passive. Uh...
[Link],588 --> [Link],598 [speaker_0]
Yes.
[Link],598 --> [Link],647 [speaker_2]
And, uh, but do they, AWS expect that the traffic is symmetrical? Uh, can I configure it in this
way-
[Link],708 --> [Link],916 [speaker_0]
Yeah.
[Link],916 --> [Link],058 [speaker_2]
... that, uh, that, uh... Like, can you turn off microphone for a moment? 'Cause again, I'm
hearing-
[Link],058 --> [Link],468 [speaker_0]
Yeah, yeah, sure, sure. [Link],478 --> [Link],051 [speaker_2]
... there's some mess. Yeah. So, uh, can I configure it in inactive/passive in this way, but, uh,
AWS sends traffic to me using this link, and I'm sending the traffic back using this link. Is it
possible or it is completely dead end and I need to make sure that...The traffic is symmetrical. If
something is sent, we have this link. I need to response also this link.
[Link],372 --> [Link],271 [speaker_0]
It depends on the like you can influence the AWS with any uh, pattern you want like active
active or active passive. But the thing comes to the on prem device, like when you are sending
traffic from let's say one uh, RT1 WAF and you are receiving traffic from RT2. So the on prem
device should be having some asymmetric routing thing kind of thing enabled on the interface
where your WAF is terminated or any virtual interface on the firewall.
[Link],332 --> [Link],852 [speaker_2]
Okay, but I am ready for asymmetrical routing. I configured my devices that they are aware
that the same prefix can go into using the different interfaces. So I am completely fine that the
traffic goes into the different interface. I can accept it.
[Link],012 --> [Link],551 [speaker_0]
Okay then. Then it is fine. Then if you want to utilize this setup as an active passive, then it is
also fine. The current then the current configuration which you are doing, which you have like
which is causing traffic to receive by AWS on older WAF and traffic from AWS getting sent by
the newer WAF. So in that case, if the asymmetric routing is enabled on the on premise device,
firewall or router, then the traffic will not get dropped or anything would happen.
[Link],992 --> [Link],051 [speaker_2]
Okay, so, so why does now I, AWS does not accept the traffic but, um, AWS sends the traffic to
this link? It is advertised with because it is advertised with mask 32.
[Link],212 --> [Link],391 [speaker_0]
Yes.
[Link],431 --> [Link],551 [speaker_2]
And I am standing back using this link. The problem is with the mask.
[Link],612 --> [Link],031 [speaker_0]
Yes.
[Link],112 --> [Link],632 [speaker_2]
Or the, or the problem is that we are connected to the same logical device.
[Link],671 --> [Link],331 [speaker_0]
No, the problem is basically what AWS direct connect routing preference is. It will first check the
longest prefix match. Okay.
[Link],112 --> [Link],121 [speaker_2]
Okay.
[Link],171 --> [Link],132 [speaker_0]
So the longest prefix match. Yeah, the longest prefix match is here, slash 32, which is on the
newer WAF. And after that it will check the path prepend. So which is also getting higher
prioritization for the newer WAF. So that is why it is causing AWS to send back the response
traffic to the old, to the new WAF. [Link],232 --> [Link],712 [speaker_2]
Okay, it is completely understandable. But-
[Link],771 --> [Link],071 [speaker_0]
Yeah.
[Link],092 --> [Link],311 [speaker_2]
AWS sends traffic using this.
[Link],352 --> [Link],171 [speaker_0]
Yeah.
[Link],571 --> [Link],012 [speaker_2]
But for the outgoing traffic I prefer this link. And I'm seeing on my TCP dump. But I am sending
the traffic to AWS. So what is the reason why AWS somehow do not accept this traffic? Drops it
on something? The problem is mask, or the problem is that these two links are connected to the
same logical device and it is for some reason not, uh, not supported.
[Link],051 --> [Link],202 [speaker_0]
Okay. So the one problem is which I like, we discussed earlier, which is like the longest prefix
match and the path. So one concern with this, let me check on another concern which you are
asking, which is this. If this is causing you to be on the same logical device. Uh, I think it mostly
do not cause this. Let me check on this. Allow me a few minutes. ...
[Link],232 --> [Link],212 [speaker_2]
Yeah.
[Link],252 --> [Link],821 [speaker_0]
Hello. Hello. Hello. Hello. Hello.
[Link],472 --> [Link],252 [speaker_2]
Haa, bol.
[Link],352 --> [Link],952 [speaker_0]
Arey ek case hai uspe dekh liya hai tere.
[Link],972 --> [Link],512 [speaker_2]
Hmm.
[Link],521 --> [Link],992 [speaker_0]
Main chat pe deta hoon. Chat pe diya hai. Theek hai. Ab, ye upar wala hai naa, iska woh old
VIF
is the old VIF and the new WIF. Theek hai. Old VIF...
[Link],002 --> [Link],331 [speaker_2]
Par kya share kar raha hai? Nahi dikha mujhe kuchh.
[Link],352 --> [Link],212 [speaker_0]
Arey maine select ko chat par share kiya.
[Link],232 --> [Link],132 [speaker_2]
Hmmm, status change karta hoon main. Live laga leta hoon. Abhi kya kar raha hun? Haa, ab
bolo. [Link],172 --> [Link],132 [speaker_0]
Toh yeh dekh. Iska ek old VIF hai aur ek new VIF hai, theek hai. Old VIF abhi currently setup
hai.
The space ka production traffic chal raha hai. Aap old VIF se ye, ye wala prefix advertise kar
raha hai on prem se. Pura slash 24 wala theek hai. AS path ye hai uska. Theek hai. Ab yeh kya
kar raha hai? New VIF hai. Ek specific IP advertise kar raha hai usi prefix mein se, theek hai.
125
slash 32. Theek hai.
[Link],152 --> [Link],652 [speaker_2]
Haa, haa.
[Link],712 --> [Link],101 [speaker_0]
Aur shorter AS path le raha hai, theek hai usse. Toh ab yeh jab woh, haa, toh ab yeh jab 1.125
ke liye traffic apne on prem se ye old VIF se bhej raha hai naa, toh ho kya raha hai AWS isko
new VIF par return bhej raha hai, theek hai. Kyunki...
[Link],172 --> [Link],371 [speaker_2]
Okay
[Link],712 --> [Link],692 [speaker_0]
Longest prefix bhi match ho raha hai aur AS path bhi shortest hai. Theek hai, toh ye ho raha
hai. Par ek aur reason hai. Maine yeh reason toh bataya para aisa bhi kuch ho sakta hai. Ab
dekh iska ye old aur new device hai naa, dono same logical device par terminate hai.
[Link],712 --> [Link],022 [speaker_2]
Hmmm.
[Link],052 --> [Link],371 [speaker_0]
Toh uski wajah se bhi ho sakta hai. Agar ye dono alag logical device par hote, toh kya yeh issue
hota?
[Link],091 --> [Link],052 [speaker_2]
Aalag hote, alag-alag logical device.
[Link],552 --> [Link],481 [speaker_0]
Old VIF aur new...
[Link],792 --> [Link],692 [speaker_2]
Yeh clouds, yeh jiska VIF hai naa, yeh kaun sa data se associated hai naa?
[Link],288 --> [Link],768 [speaker_3]
Old vif is there, old vif is hosted, right? It is okay, new vif has also been taken by us. Dedicated
display people are migrating.
[Link],908 --> [Link],078 [speaker_1]
Yeah, both of them have DX, means on which terminal is VGWA or what?
[Link],108 --> [Link],138 [speaker_3]
Let's see, hold on.
[Link],138 --> [Link],187 [speaker_1]
Okay.
[Link],028 --> [Link],788 [speaker_3] What is it? New one is 7Q. New one physical
connection ID. Where does it look like? Screen
center. Where does it look like? It is not visible in the associated stage. This is new.
[Link],848 --> [Link],618 [speaker_1]
This is your vif open. This one is your vif, right?
[Link],727 --> [Link],768 [speaker_3]
Yes.
[Link],108 --> [Link],058 [speaker_1]
Which one is public? Okay, okay, okay. All these are public.
[Link],348 --> [Link],048 [speaker_3]
Yes, yes, private. No, it is a public view.
[Link],967 --> [Link],258 [speaker_1]
Hmm. Okay. Public with both of them are also public.
[Link],348 →

[Link],678 --> [Link],938 [speaker_0]

Yeah, I'll take this point also. I will check on this and, uh, will shortly get back to you on the case
itself of what I found internally. So I just checked with the service team about this, so they
would be having better scope of how the backend traffic works.
[Link],798 --> [Link],598 [speaker_5]
Okay.
[Link],618 --> [Link],898 [speaker_0]
Yeah.
[Link],918 --> [Link],518 [speaker_5]
Thank you.
[Link],528 --> [Link],618 [speaker_0]
So, for the time, yeah, we can conclude, uh, like, uh, it is causing issue due to a same logical
device learning a prefix from two of the VIFs. That is why it is causing issue. And, yeah, I'll
shortly check up on this, uh, with the internal team and get back to you on the case. Yeah.
[Link],658 --> [Link],198 [speaker_5]
Yeah, I, I would summarize it, uh, I see the issue is one logical device sends back traffic-
[Link],258 --> [Link],408 [speaker_0]
Yeah.
[Link],408 --> [Link],838 [speaker_5]
... via one link, and tries to receive, uh, that, that traffic-
[Link],898 --> [Link],908 [speaker_0]
Uh-huh.
[Link],908 --> [Link],918 [speaker_5]
... from the other link.
[Link],958 --> [Link],138 [speaker_0]
Yeah, correct.
[Link],218 --> [Link],958 [speaker_5]
Uh, yeah.
[Link],998 --> [Link],118 [speaker_0]
Yeah. That is, that is fine. Yeah. Okay.
[Link],178 --> [Link],038 [speaker_5]
I think this, uh, I, I really need to, uh, the, the problem is, uh, reproduced. So if some, some,
someone needs to check it, the problem is reproduced.
[Link],058 --> [Link],978 [speaker_0]
Mm-hmm. Sure. O- sure, no worries. I'll take this offline and, uh, I'll just, uh, have a word with
[Link],358 --> [Link],458 [speaker_0]
Yeah. Okay, yeah. Uh, till then, if you have any, uh, further assistance required, you can just
update in on the case, so I'll just get back to you in the meantime.
[Link],478 --> [Link],858 [speaker_5]
Thank you. Thank you.
[Link],878 --> [Link],228 [speaker_0]
Okay. Okay, so I'll just, uh-
[Link],538 --> [Link],708 [speaker_5]
Okay, bye.
[Link],708 --> [Link],358 [speaker_0]
Okay, then, uh, I will take your leave, guys. Uh, and will update the case. And, uh, once I have
the findings from the internet team, I'll also update that thing, like what it is causing the issue.
[Link],438 --> [Link],708 [speaker_1]
Okay, thank you, uh, Yash, and, uh, please, uh, do share the call summary, uh-
[Link],738 --> [Link],178 [speaker_0]
Yeah, sure, I'll, uh, share the call summary, uh, after this call. Yeah, sure.
[Link],378 --> [Link],598 [speaker_1]
Lucas, thank you.
[Link],758 --> [Link],618 [speaker_5]
Thank you.
[Link],638 --> [Link],648 [speaker_1]
Bye-bye.
[Link],698 --> [Link],378 [speaker_0]
Okay, thank you.
[Link],398 --> [Link],678 [speaker_5]
Bye.
[Link],698 --> [Link],058 [speaker_0]
Yeah, bye.
[Link],068 --> [Link],068 [speaker_5]
Bye.
[Link],068 --> [Link],438 [speaker_0]
Ooh, Mahesh ƒįŷų. (mouse clicking) Ÿousand. ƒįūų ƒįūų ƒįūų

Okay, so, hey, do you need me to show you how I do the clean up? From on-prem, you're trying
to
rethread, or from AWS? Yes. Okay, so this is our iCloud server, which is on the other side.
Okay. So,
yeah, so this is one of our, so this is the one which I'm trying to connect.
So it's just saying it's not even going anywhere. Can you do a trace route? Yeah, I can. But a
trace
route is also not actually giving me anything. It's just that. No, actually, okay. It's not doing
anything.
10, 1, 80, 10. I think there is some route issue. I was confused about this particular route. I can
see this
particular route is going to this address now.
So basically that attachment is your DX Gateway attachment. 1085 is your on-prem right? This
one.
Yeah, 1085 is on-prem. So this is our correct attachment right? This got confused me a little bit.
Basically I think, just a second. So there are three routes for 1085 series.
Yes, the other one I was not able to see that something is... I will just share it with you. Okay. So
these
are the three routes for same sider. So basically first one is your supernet which is less 16 and
other
two are your specific siders for 10 and 11 subnet.
So any traffic falling under the 85.10 or 85.11 will follow this longest prefix match paths which
are
other two which are pointing towards the direct connect. So that is fine from here. Do you have
this
AWS instance access?
it represents actually oh this particular server access i'm not having maybe i think it's it i think
the
route is because we are not getting anything on this on-prem which means that might be route
missing on the os let me check
But actually in our OIS we are not putting any kind of routing system. So it's the same OIS which
we
have, sorry the same routes which we are using. Any TCP service you are using on AWS which
you can
try to tell it or something. So sorry can you just repeat it again. So basically the instance which
you
are trying to ping right.
Do we have any specific ports which we can try to telnet or SSH so we can get idea sometime
see ping
might be blocked. Let me see if I can get any kind of because this is a different server. Just give
me a
moment I'm just stop my sharing. Okay. Hey, take the dish. Why are you eating this? I will wash
the
dishes from you. I have washed the dishes from you till today.
I will share my screen now. So this is the server. This is the destination server and the other one
is
source. So this is the AWS server. Let me just double confirm it somehow.
I think there is no route for 1085. Ok, let me see. Let's just say. Yeah, ok it is there. 1085, 1183
via 1085.
Can you do the same thing on the on-prem server? Ok, the route one? Yeah.
Yeah, sure. Because I have already tried it, I think I might get it here. Yeah. Okay, it is checking
distance. 10-180, 10-239. Yeah. There are two waves of all this routes are getting advertised for
10-180
also. This one is 80 SE. And this is a 10-180 distance. Yeah, when I'm trying from AWS, I'm
getting this,
the trace route. Okay.
so this is actually which 10 this is 169 254 252.1 96.3 yeah okay this is the bif only okay so this
is which
which we mentioned right right uh ending with six qbk okay so over that okay
okay this is the one right yes okay so in here an association i think i have added this page as
well so
it's right it should allow okay on the other hand side let me just this is going to this transit
gateway
because i'm just confused about like is there any routing or something which time we can do
one
thing uh just go to your on-prem once
Ok, so you need to go to the server or the console? It's a little out. Server, server, server. On-
prem
server. Ok, yeah. Let's do one thing, just a second. We can capture traffic if it is receiving, if it is
getting
received on on-prem or not. When you are trying to ping from AWS. You mean TCP down?
Yeah. Let
me get the command. I'll just type in this. Ah, ok. I will just share it with you.
So beside source you can add source ip as aws Just let it be source and space aws ip Just
mention
there any space src source Then after that ip
yeah yeah I have to yeah you can just try to run the ping or something let's see if tracking is
working
I'll do the trace route again do the ping once okay first trace route might be ping would lost in
between the okay okay we are means we are receiving icmp echo request correct from AWS
okay now
try to do the same thing just stop this capture
and run this capture on the AWS also and try to ping it from here. This mentions Rose as your
on-
prem IP. I have already done. So we can get like if there is any route missing on any of the site.
Initiate
ping. I have initiated.
But I think it's not coming. Which means there is some issue on the route towards AWS. Which
means
like the outbound from the valley cloud is blocking this. Is that what you mean? Yeah, mostly I
am
suspecting that. Just toggle again to that AWS instance. Okay. Okay, they are not receiving any.
you can see zero package captured I think the traffic is getting dropped in the middle or
something
just try to do SSH or something
Sorry? Yeah, you were trying to do SSH, right? SSH is working fine. I'm already in the machine.
No, no,
via this... Both missions are... Via this, your on-prem machine, are you able to do SSH?
Because I think
SSH would have taken... No, that is not allowed. Okay, okay. Because we have already
restricted all
those things. I'm just trying to...
It was in a different way which I mentioned, which is able to connect. I was just looking like I can
do it
from there and just both are going into the same place. Because right now I am trying to do it
from
there. Just a second. So I just need to confirm it. Both are going into the same place and I think
I can use the same couch which we have there in a little bit. I will just put the chair here. So it
should
be there. Yeah. Give me a moment, I will just finish this up. Yeah, sure. Take it. Thank you. Yes,
my
time is coming at the same time. I show my screen. So this is absolutely the one we're trying to
connect into.
So this is going with the same value. This is 5 but this is the one right? Yeah, that is 50 is the...
Yeah,
dot 50 is Amazon's interface IP. This one is 252. So here it's going to 252.5.
So why it is here we have two different IPs? That is mostly the gateway it should be. But here I
can see
only one. Can you share me the instance just once? This instance ID. This instance which,
okay. Yeah.
The one which I, right now the working one, right? Yeah, right, right. So this is my, this is our
production one. Working for myself. This is the one. Okay. So this is so much E and I.
Mostly the routing is same for both the instances. I think there is some issue in the return routes
towards AWS. You mean like from on-premise to back-end? Yeah, from on-premise. Is that
what you
mean? Yes, from on-premise to AWS, correct. Because we are sending that echo request but
also not
receiving any response and when we are trying to do echo request from on-prem, it is not
reaching
the AWS.
It is getting somewhere dropped or something. It's happening. 1085.11 will terminate on time.
Transit
gateway. Let me see. DX.
1080.[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].0.0.0
.[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].0.0.0
.[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].0.0.0
.[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].[Link].0.0.0
.[Link].0.
something might be on the instance itself on this on-prem instance. Is it, can we try to do any
telnet
on port 443 or something? Is it possible? I'm not sure if this is a working one. Even for the
working
one, I don't think this will be a capable. Because we have some kind of restrictions over that
one. But
I think this is the working one.
If this didn't work, then the other one won't work. This is connection to boost. So it's reaching
and
getting the connection to boost. Because we don't have anything. But the other one, I think
mostly it
should get connected. It's trying. It's just trying. It is not reaching there.
So you mean like it's not even reaching to the AWS right? Yeah, just do you have the transit
gateway
flow logs attachment? Attachment flow logs enable? We can check if we are receiving... We
have just
for the VPC, I don't think we have... But I'm not sure about this particular VPC because this is a
new
VPC. We are not using this as far as... Oh yeah, we have.
This might be complete. Yeah, destination. Uhh, what is the typing you are trying to paint? ENI
right? I
think this one. Let me share it in the chat. This one would be the ENI. 43. Oh yeah? Okay.
Just go to the filter and type in your on-premise IP which is 1085 You can type the whole IP
1183 yeah
1085 1183 It's not showing completely right I think the flow of format is It's showing the rejects I
think
This is only internal traffic Just go to the logs and
Yeah, now we are getting C. This is your outbound traffic. Like from AWS. Yeah, this is from
AWS to
your on-prem. Okay, so this one. You can do one thing. Just go to that log insights once on the
left
tab. Okay. Yeah, at the end, go to the end of first line and hit enter. Here? First line, first line.
here? yeah go to the end just hit enter write I'll just give you one filter just type this filter paste
this
filter on the second line between apostrophes just add the IPs source okay yeah 1085 11 83 I
think
10.180 10.139 Run the query It is not reaching here Traffic is not reaching here So it's mostly
due to
routing issue from other end right? Yeah I think outbound traffic is somewhere getting dropped
or it is
not reaching here But if they have the issue the internet is working fine right?
Inbound is working but outbound is not. Because when we did that ICMP echo request we can
see
like we are not sending. It's coming in. Yeah that is fine like it is coming in but there was no
response
for the request. Reply was not going there.
In this case, the outbound is having issue, right? It is not the inbound runs. Because I just need
to
double confirm if it is complete out issues or it's just the outbound issue. Yeah, it's an outbound
issue.
I think from OS level there might be some issue. The traffic is getting dropped on the interface
or
something. Because if a request is coming, there must be a reply. Auto reply should be there. It
is not
going, actually.
Can you just do ifconfig interface 1085, 1183 Which one is 1085, drop 0, receive back its
transmitter,
it's ok. I think I need to run it, just a second. This is also, sorry, this is. Yeah, that one was
correct. Ok,
got it.
Is there any kind of knackers or rule that has been set over here on this instance? I don't think
so.
Because this is some kind of like the production one so we mostly didn't do any kind of like
usually it
should just work if you don't have it. I think the rock table is this one. Rock table, this one I have
added because I'm only concerned about like this is her out.
Okay, so this is currently VPC, this is Alibaba cloud, right? Yeah, so I'm just comparing these
things.
I'm just logging into this particular one of the machine so that I can just again confirm like if it is
the
same, I'll just start the same over the route.
because I am not the one who set it up so it's completely confused that's all. So that on premise
instance is a Linux right which one it is? Debian or something? No it's a Debian it's a Roku Linux
but
the route that's something I don't understand it why it's coming in but it's not acknowledging or
doing any other thing.
yeah let me see if there is any local firewall dropping ICMP or something you have shared
something
to me? yes on the chat just don't run that command first let's run another command okay run the
second command
it's empty now run the first command sudo iptables empty can you run this command and let us
confirm if the icmp request is getting sent on the correct interface what is that interface? inet2
just run this command once again on this instance on-prem instance sometime it's like echo
request
are receiving on different interface rather than that's you can run this on the on-prem so I will try
the
pin here echo request
okay just run command again and include a hyphen v for detail yes
can you see the written traffic is going via which uh interface just type ip route get and then that
amazon instance ip yeah sure it's 253 okay it's the same and then we can hit zero
just run the same command on the Amazon instance again for the ethernet zero let's see if we
are
receiving the same command and now try to ping from on-prem on AWS is good? yeah there is
AWS
traffic is not receiving on AWS either or on any of the interface
because as as aliclord is able to receive and request is sent from the server so the routing on
the both
sides are fine right yeah like like that should be how right after there is no outbound just run one
more command systemctn
let's run this command otherwise we will see on the transit gateway attachment once if we are
receiving route on one ok did you send something to me? yeah I'm just sending one command
in the
chat ok let's run this once let's see if something in on-premise? yeah on on-premise ok this is
this is
my
Okay, just a second. It is set to zero. Okay, means it is disabled for now. Just try to ping via
sudo. Just
ping, type sudo ping and then this Amazon IP. I am actually in sudo. Okay, you are already in
sudo. I
am in root console. Okay, okay, okay. I am already in root console. Okay, okay. RP filter is not
there
which means mostly no local firewall involved.
Okay, we can do one last thing. I'll just go to that AWS console one. Oh console? Okay. And on
towards
the transit gateway attachments. Okay. Yeah, just search here that DX attachment. DX gateway
attachment. I think let me grab it first. This one might be. This one will be the DX gateway
attachment. Ending with B0. Yeah. I have opened mult to…
Just go to the action, click on action. Create flow log, name for the text flow log. Put it in the
same
place. That is fine. Format is fine. You can just create. Go to the flow log. Go to the flow log
again, the
tab below.
I will just share the unit in the chat transit gate unit okay so one by one we can check for this
three
units okay so let me just close couple of things this one I'm not able to get here the first one
I'll try the second one. I think this is the VPC flow log that might be the easiest. Yeah right
because we
selected the VPC flow logs that's why I think. But it should push the logs too sometimes. These
are all
the VPC ENIs right? It won't show I think over here.
Okay, maybe meanwhile I can do one thing. I can just remove that one and put it into something
different. Yeah, you can do that also. I think that won't work. That group I am suspecting. Yeah,
you
can select your transit data. It will come under VPC. Yeah, I think it is coming under the VPC.
Yeah,
right. Okay. Next. Yeah. So now let's do next.
ok it's already there maybe I'll just try to put it over here nothing is here as of now will it take
some
time? I think this will take some time just keep on generating the continuous traffic if it's not
showing
which means it's not coming just go to and click on view in loginsights
go back to that flow log again yeah you can see there was direct option we can see yeah just
select
the log group here again your tgw flow logs just go to that custom time frame and select 30
minutes
or something yeah yeah select 30 minutes
00,340 --> [Link],359 [speaker_0]
My shift has been ended like 30 minutes before. So, what, what are the next step we are
planning to do?
[Link],440 --> [Link],980 [speaker_1]
Um, I know, uh... (clears throat) I think we just need to wait for another IT or, uh, machines for
us to test. Uh-
[Link],980 --> [Link],899 [speaker_2]
Yeah, yeah. I already requested. I, I already requested, um, which, uh, but the guy is not
available now. He will, he will do later.
[Link],079 --> [Link],459 [speaker_1]
Okay.
[Link],019 --> [Link],979 [speaker_2]
For this current session-
[Link],000 --> [Link],520 [speaker_1]
So, for, um...
[Link],520 --> [Link],240 [speaker_2]
So, uh, uh, maybe, maybe, uh, we, we probably talk first. Maybe we, we come, uh... We, we try
from email later because once, once the, uh, the, the, we already, we can test. Give your result
and okay, we just request from the email. If not, then maybe we need to join back the call
within one or two hours to sell.
[Link],299 --> [Link],939 [speaker_1]
Mm, okay.
[Link],360 --> [Link],700 [speaker_0]
Okay, that sounds good.
[Link],840 --> [Link],180 [speaker_1]
Mm-hmm. Okay. So let, let's talk first time.
[Link],680 --> [Link],799 [speaker_2]
All right.
[Link],840 --> [Link],220 [speaker_1]
Yeah. Thank you, guys.
[Link],040 --> [Link],579 [speaker_2]
Thank you, guys.
[Link],559 --> [Link],599 [speaker_0]
Okay, thank you everyone. Yeah.
[Link],599 --> [Link],179 [speaker_1]
Hi, thank you very much for helping. Bye.
[Link],459 --> [Link],059 [speaker_0] [Link],540 --> [Link],019 [speaker_2]
Bye.
[Link],059 --> [Link],119 [speaker_1]
Bye.
[Link],119 --> [Link],520 [speaker_3]
(laughs) (biola music)
[Link],220 --> [Link],080 [speaker_0]
... then we can move forward, right? So I was, uh, telling that as per the configuration,
Check Point is the initiator, right, for this VPN connection. So whatever the, uh,

[Link],120 --> [Link],850 [speaker_1]

Yeah. Yeah.

[Link],850 --> [Link],850 [speaker_0]

Yeah.

[Link],880 --> [Link],340 [speaker_1]

You- you continue talking, because I'm showing you now. This is the IP that we are sending,
establishing the tunnel. You are responding to us with this IP as well.

[Link],460 --> [Link],200 [speaker_0]

See, the basically ... it can't... Check Point is the initiator, right?
So whatever Check Point will propose, AWS will accept because there is no specific local

[Link],580 --> [Link],650 [speaker_1]

I'm, I'm telling you, I'm telling you now, Check Point is not-

[Link],650 --> [Link],390 [speaker_0]

No, I'm telling you from the AWS perspective.

[Link],390 --> [Link],210 [speaker_1]

Check Point is not the one send. Check Point is not-

[Link],210 --> [Link],800 [speaker_0]

See, see, see, I am telling you.

[Link],860 --> [Link],320 [speaker_1]

Check Point is not sending. Check Point is not the one who give you-

[Link],330 --> [Link],330 [speaker_0]

I'm-

[Link],340 --> [Link],460 [speaker_1]

... the IP.

[Link],500 --> [Link],350 [speaker_0]

Yeah, I am agreeing.

[Link],520 --> [Link],530 [speaker_1]

Check Point

[Link],530 --> [Link],600 [speaker_2]

Yes, I'm-

[Link],620 --> [Link],320 [speaker_0]

I am agreeing.

[Link],340 --> [Link],930 [speaker_1]

... checking for the IP.

[Link],980 --> [Link],960 [speaker_0]

Yeah, I agree. Check Point is not sending, but whatever AWS
is receiving as a phase 2 encryption domain, I don't know if it's coming from the LB

[Link],980 --> [Link],050 [speaker_1]

Okay. Then what is-

[Link],060 --> [Link],880 [speaker_0]

So that is why it is happening.

[Link],900 --> [Link],030 [speaker_1]

Then what is happening, yeah.

[Link],080 --> [Link],340 [speaker_0]

Correct.

[Link],700 --> [Link],140 [speaker_1]

One question from you, uh, for you. If, let's say, we are sending you different IP, then why you
are establishing the connection with us?

[Link],360 --> [Link],370 [speaker_0]

Because it is coming from the customer gateway. That's why. AWS is a responder here.

[Link],380 --> [Link],900 [speaker_1]

No, because you are-

[Link],920 --> [Link],110 [speaker_0]

Because you don't have con-

[Link],280 --> [Link],920 [speaker_1]

You are setting up your VPN, VPN setup, you put our IP, 211.225.

[Link],020 --> [Link],560 [speaker_0]

No, no, that is a customer gateway IP, right?

[Link],600 --> [Link],549 [speaker_1]

Yeah, no, this is the one that... That's why I'm saying you are seeing different IP,
then how come you can establish, in, if, let's say, you are, you are coming from, uh-

[Link],560 --> [Link],940 [speaker_0]

This is-

[Link],950 --> [Link],960 [speaker_1]

... your IP already?

[Link],120 --> [Link],940 [speaker_0]

This is a phase 2. This is not a pub- uh, this is a phase 2, the traffic selector, right? This
is not a phase 1. You have the customer gateway with 211, right? This is not a, uh,

[Link],760 --> [Link],360 [speaker_1]

The... Now you need to answer me. Why, why from your end, we need to allow 000 dot, uh,
dot 0/0 instead of our original IP for us to establish a connection?

[Link],400 --> [Link],290 [speaker_0]

See, on AWS side, someone was-

[Link],300 --> [Link],220 [speaker_1]

For phase 2, for phase 2. I'm, I'm asking you for phase 2. Phase 2 now, you put any traffic.
(computer mouse clicking) Your side, you put any traffic. You will accept any traffic.

[Link],920 --> [Link],320 [speaker_0]

So yes, that is why it is accepting any traffic, right? It is 00 already configured on AWS side.

[Link],380 --> [Link],960 [speaker_1]

Yeah, this one is, you are the s- the one sent to us.

[Link],980 --> [Link],010 [speaker_0]

The-

[Link],010 --> [Link],210 [speaker_1]

It might be because you are sending through a different side.

[Link],210 --> [Link],700 [speaker_0]

No, these are not. See, initiator always represent the phase 2 traffic selector, not the responder,
right? In IPSA, as per the-

[Link],760 --> [Link],260 [speaker_1]

This one is, this one is outbound, outbound from your end towards this IP.

[Link],380 --> [Link],420 [speaker_0]

Wait, just a sec.

[Link],420 --> [Link],030 [speaker_1]

Oh.

[Link],040 --> [Link],049 [speaker_0]

Uh ...

[Link],060 --> [Link],380 [speaker_1]

This is public IP.

[Link],460 --> [Link],350 [speaker_0]

See, the first one you see inbound traffic selector. If you see, I have shared the whole log.
This is not a, yeah. The first one is the inbound to AWS. And on AWS-

[Link],350 --> [Link],850 [speaker_1]

This one? This one?

[Link],899 --> [Link],300 [speaker_0]

Yeah.

[Link],399 --> [Link],980 [speaker_1]

Uh-huh.

[Link],079 --> [Link],420 [speaker_0]

I think this one is not. Yeah, this one.

[Link],440 --> [Link],740 [speaker_1]

Ah, you can see-

[Link],800 --> [Link],810 [speaker_0]

You can see.

[Link],810 --> [Link],700 [speaker_1]

... from earlier also wrong.

[Link],760 --> [Link],880 [speaker_0]

Yeah.

[Link],920 --> [Link],080 [speaker_1]

Why, why in the last one, closing is correct?
[Link],040 --> [Link],800 [speaker_0]
So that is why I was mentioning, because on AWS it is configured as 00. AWS
is depending on the customer gateway, whichever the phase 2 traffic selector, or, uh, sorry,

[Link],840 --> [Link],520 [speaker_1]

Yeah. 7 is not our IP. We don't have 7 IP. That one is a public IP.

[Link],540 --> [Link],300 [speaker_0]

Yeah. So see, see. So basically-

[Link],310 --> [Link],350 [speaker_1]

(laughs)

[Link],350 --> [Link],240 [speaker_0]

... this is neither an issue on AWS side, neither on Check Point if we come to, right?
Because from AWS perspective, it is a responder, uh, whatever customer gateway will propose,

[Link],280 --> [Link],660 [speaker_2]

Satish, can you, can you share production one? Are we seeing something like this as well,
Shafiq?
Hey, um-

[Link],740 --> [Link],870 [speaker_1]

Asim, Asim, do we get-

[Link],880 --> [Link],050 [speaker_2]

How, how-

[Link],050 --> [Link],940 [speaker_1]

... all this information, whether it's the same like this or not?

[Link],980 --> [Link],340 [speaker_2]

How to get this info, uh, AWS?

[Link],640 --> [Link],330 [speaker_1]

You share your screen now.

[Link],840 --> [Link],620 [speaker_2]

Okay, hey, sorry. (coughs) I just spoke to Dynatrace, uh, uh, partner, uh, office.
So according to them, the, this potential problem, like, why, uh, the e- the, this color source,

[Link],720 --> [Link],890 [speaker_3]

Yeah.
[Link],890 --> [Link],910 [speaker_2]
So it looks like we cannot use this source anymore to actually do the testing.
We may need to wait for the new server to be ready.

[Link],910 --> [Link],170 [speaker_3]

(speaks in Hindi)

[Link],170 --> [Link],820 [speaker_2]

Rajesh, do you have any of the same segment that we can test?

[Link],840 --> [Link],189 [speaker_0]

(dialogue in Hindi)

[Link],620 --> [Link],920 [speaker_2]

Yeah.

[Link],000 --> [Link],170 [speaker_0]

(Dialogue in English and laughs)

[Link],170 --> [Link],680 [speaker_2]

So, um, Andrew's team, how you- how do you get that info?

[Link],700 --> [Link],050 [speaker_0]

Which info?

[Link],060 --> [Link],440 [speaker_2]

How to get info? Is it from your backend? Or if we can use, uh, CLI to do that.

[Link],560 --> [Link],340 [speaker_0]

dialogue ] Sorry, which info are you talking about?

[Link],350 --> [Link],460 [speaker_2]

The one that you have made, uh, the-

[Link],480 --> [Link],200 [speaker_3]

dialogue ]

[Link],620 --> [Link],290 [speaker_0]

No, no. What I'm saying, uh, is this pro- uh, the VPN connection that we are trying to
troubleshoot,
is it in production or, uh-

[Link],300 --> [Link],020 [speaker_2]

Yes, this one is the one that we bring up last night, another link.

[Link],820 --> [Link],220 [speaker_0]

See, because, uh, what is happening, phase two traffic selector I don't know Checkpoint is pro-
proposing or not. But to avoid this issue from the AWS side, we can do,

[Link],340 --> [Link],780 [speaker_2]

So, yes, uh, yes, actually what they're trying to do now is, uh, what we- you seen just now
is all our non-production environment, the one that are having problem. The one, the...

[Link],840 --> [Link],300 [speaker_0]

Okay.

[Link],320 --> [Link],800 [speaker_2]

...as the one you show just now. So now Shafik, he wants you to show where to get that log.

[Link],840 --> [Link],320 [speaker_0]

No, no, no. You can't, um, get that log from the same... Uh, what is the VPN connection ID?
Does that belongs to the same account?

[Link],340 --> [Link],429 [speaker_2]

Different account.

[Link],480 --> [Link],860 [speaker_0]

Uh, different account. Uh, can you share me the account ID? Uh, let me check
if cross-account support is enabled.

[Link],929 --> [Link],540 [speaker_3]

(mouse clicking)

[Link],800 --> [Link],960 [speaker_2]

I pasted in the chat already.

[Link],520 --> [Link],570 [speaker_0]

Okay. Mm, just a second. (mouse clicking) Okay. Cross-account is not supported.
Can you give me one case from this, uh, from that account? In the small one.

[Link],600 --> [Link],620 [speaker_2]

We don't have, uh, business support on that, in production. Shafik, you can also. Okay.

[Link],980 --> [Link],310 [speaker_0]

Because the cross-account is not support e- enabled,
that's why I would not be able to access the resources.
[Link],220 --> [Link],750 [speaker_3]
(mouse clicking)

[Link],840 --> [Link],040 [speaker_2]

What, uh, category should I, should I create for the support ticket? Is it under VPC?

[Link],100 --> [Link],180 [speaker_0]

Uh, no. U- open the using VPN. Yeah.

[Link],880 --> [Link],480 [speaker_2]

Okay. Category.

[Link],560 --> [Link],780 [speaker_0]

Uh, just mention general guidance or something. Yeah.

[Link],520 --> [Link],259 [speaker_2]

I put production assistant.

[Link],380 --> [Link],040 [speaker_0]

No, no, don't raise it with P1. This is another VPN now.

[Link],080 --> [Link],450 [speaker_2]

Okay. So general guidance.

[Link],480 --> [Link],060 [speaker_0]

It is working or it is, it is also facing some issue?

[Link],280 --> [Link],580 [speaker_2]

You can access to this case, uh, support case base number?

[Link],600 --> [Link],920 [speaker_0]

Yeah. Just send me the case ID in the chat. Just send, yeah.

[Link],950 --> [Link],530 [speaker_3]

There is no VPN connection in this account.

[Link],570 --> [Link],400 [speaker_4]

Okay, got that. Okay. So Shafiq, again, I don't think we can do anything for now.
Maybe we can wait for another dynamic trace. And then, uh, another source open,

[Link],400 --> [Link],250 [speaker_5]

We took a call from the number, but we couldn't put this one-

[Link],530 --> [Link],540 [speaker_4]

I mean-

[Link],540 --> [Link],430 [speaker_3]

(instrumental music) the, the, the, the-

[Link],690 --> [Link],480 [speaker_4]

... the issue here are-

[Link],480 --> [Link],880 [speaker_3]

Okay.

[Link],910 --> [Link],390 [speaker_5]

Mm-hmm.

[Link],410 --> [Link],470 [speaker_3]

Checkpoint.

[Link],490 --> [Link],670 [speaker_4]

They got AWS to accept today, right?

[Link],690 --> [Link],290 [speaker_5]

Mm-hmm.

[Link],350 --> [Link],290 [speaker_3]

Yes. Yeah.

[Link],310 --> [Link],110 [speaker_4]

Oh, run, your, your, your end la. We, we cannot... You're gonna see that lot, right?

[Link],210 --> [Link],559 [speaker_3]

Okay, yeah.

[Link],570 --> [Link],290 [speaker_4]

What was that? Okay, it's fine. So we open a new ticket and just get this ticket.

[Link],330 --> [Link],380 [speaker_3]

The water. But, uh, share me, uh, just where... Just share me-

[Link],470 --> [Link],480 [speaker_4]

Okay.

[Link],480 --> [Link],490 [speaker_3]

... the VPN connection ID in this account.
[Link],550 --> [Link],650 [speaker_4]
Okay.

[Link],130 --> [Link],200 [speaker_3]

Yes. Okay. You can share me the case ID once it's opened. Okay, just let me check.

[Link],250 --> [Link],020 [speaker_5]

Who is a butcher? Can you see the screen? Okay. Yeah.

[Link],070 --> [Link],330 [speaker_3]

Samajh bhi nahi aa raha.

[Link],790 --> [Link],020 [speaker_5]

(laughs)

[Link],020 --> [Link],510 [speaker_3]

Chine- Singaporean hai na ye log.
(mouse clicking) (door closing) (mouse clicking) (coughing) (mouse clicking) Two. Three. Four.

[Link],570 --> [Link],100 [speaker_5]

Tumhara path bhi bahut ganda hai. Smelly, smelly.

[Link],330 --> [Link],990 [speaker_3]

Yeh aaya hi, one, one, one. (mouse clicking)

[Link],170 --> [Link],110 [speaker_5]

Thoda ladai karo. (mouse clicking)

[Link],250 --> [Link],790 [speaker_3]

What is the destination for this production VPN? Any destination prefix on AWS side?

[Link],830 --> [Link],030 [speaker_4]

Van? (mouse clicking) Source.

[Link],630 --> [Link],770 [speaker_3]

Or on AWS side what is? (mouse clicking) Ten, two, zero, five. (mouse clicking) (instrumental
music)

[Link],200 --> [Link],060 [speaker_0]

... that is successfully reachable.

[Link],000 --> [Link],450 [speaker_1]

No, no means from this, uh, VPN connection, are you able to reach the VPC endpoints and
everything?
[Link],500 --> [Link],230 [speaker_0]
Yeah. Yeah, yeah, I'm getting. Got it, right.

[Link],800 --> [Link],820 [speaker_2]

(mouse clicking)

[Link],320 --> [Link],840 [speaker_1]

Check the logs. (mouse clicking) Customer gateways. (mouse clicking) Okay, for this tunnel,
I'm seeing these are the phase two traffic selectors which is getting established. (mouse
clicking)

[Link],920 --> [Link],260 [speaker_0]

Wonder why they wonder why. They always like a plane.

[Link],920 --> [Link],520 [speaker_1]

Because all the, uh, pro- see inbound proposal is arriving from CJW, and the same config is, uh,
for this VPN also on AWS side, uh, it is 00, means AWS will accept, uh,

[Link],680 --> [Link],360 [speaker_0]

Yeah, but wonder, wonder why is, uh, software public as data is, is also right.

[Link],480 --> [Link],860 [speaker_1]

Ours who I don't know why it is happening like this, who... See, I'm saying what logs are saying,
right? We are receiving inbound, uh, uh,

[Link],900 --> [Link],180 [speaker_0]

You know what? So in this case, if let's say you allow any, then why this one, uh, it is
successful,
the other one is not successful. So this why, if you see, uh, it might have an issue

[Link],240 --> [Link],040 [speaker_1]

See, the troubleshooting can be performed from the two ways, right?
So whatever we can troubleshoot from the AWS side with it. So we just need to check on aw-
um,

[Link],060 --> [Link],350 [speaker_0]

Yeah, I understand.

[Link],350 --> [Link],160 [speaker_1]

... incoming traffic-

[Link],170 --> [Link],230 [speaker_0]

I understand that.
[Link],230 --> [Link],210 [speaker_1]
... how it is behaving.

[Link],440 --> [Link],060 [speaker_0]

From our end, we follow the guide. We need to say that we mentioned what is our, uh, source
that we should com- uh, should that communicate with the AWS. We need to say that we follow-

[Link],080 --> [Link],840 [speaker_1]

Yes. Yeah, I understand.

[Link],850 --> [Link],900 [speaker_0]

... the first segment.

[Link],920 --> [Link],940 [speaker_1]

I understand you put, uh, what, uh,
phase two domain encryption you want to establish from checkpoint, right? But as you said-

[Link],220 --> [Link],250 [speaker_0]

Yeah.

[Link],250 --> [Link],460 [speaker_1]

... that this is going over any load balancer over the internet, right?

[Link],200 --> [Link],670 [speaker_0]

The one is just to choose the path because we have multiple internet.

[Link],670 --> [Link],520 [speaker_1]

Yeah. To choose the, to choose the path.

[Link],540 --> [Link],730 [speaker_0]

So any of the alternative network, or different, different network.

[Link],730 --> [Link],200 [speaker_1]

I understand. Is there any way, is there any way we can see the IP, uh,
domain encryption on checkpoint or phase two logs on checkpoint? What

[Link],210 --> [Link],210 [speaker_0]

Right.

[Link],210 --> [Link],760 [speaker_1]

... uh, sending to AWS?

[Link],770 --> [Link],220 [speaker_0]

Yes. You know what, what is funny, right?

[Link],240 --> [Link],290 [speaker_1]

Mm-hmm.

[Link],300 --> [Link],120 [speaker_0]

Uh, the public IP that you are showing us-

[Link],280 --> [Link],380 [speaker_1]

Yeah.

[Link],390 --> [Link],820 [speaker_0]

... the [Link]/32-

[Link],860 --> [Link],100 [speaker_1]

Mm-hmm.

[Link],170 --> [Link],870 [speaker_0]

... is owned by United States Department of Defense. (mouse clicking)

[Link],870 --> [Link],130 [speaker_1]

See private, uh, see-

[Link],280 --> [Link],360 [speaker_0]

But doesn't, doesn't, doesn't care like what, what IP is there-

[Link],380 --> [Link],390 [speaker_1]

Mm-hmm.

[Link],390 --> [Link],400 [speaker_0]

... but the thing is, uh, both production and the app-

[Link],410 --> [Link],410 [speaker_1]

Yeah.

[Link],410 --> [Link],420 [speaker_0]

... it should have been different IP. But why, why-

[Link],800 --> [Link],080 [speaker_1]

See, you see-

[Link],090 --> [Link],100 [speaker_0]

... uh, one session it works, the other ones doesn't work? Kalau they say if this is an issue,
we need to see production also, does not work. Yeah. So I say I, I, we don't think this is an
issue.

[Link],140 --> [Link],250 [speaker_1]

Yeah.

[Link],250 --> [Link],510 [speaker_0]

Yeah, that one is clear.

[Link],560 --> [Link],090 [speaker_1]

See, what-

[Link],090 --> [Link],140 [speaker_0]

And there's some more. (mouse clicking) This is, this is worse for me, for Bungi, this is worse.
Because why? At least from the start, that one doesn't work. The last mentioned, uh, the one,

[Link],220 --> [Link],936 [speaker_1]

Uh, that's what I'm trying... That also was, uh, I'm trying to explain, right? These are all the-...
we need to understand which checkpoint is the initiator, right? I am not saying the checkpoint

[Link],076 --> [Link],336 [speaker_3]

Uh, that is, uh, um, I said, that's what I told you is now,
we just try to reset the tunnel from your end now. See whether you-

[Link],346 --> [Link],416 [speaker_1]

Initiate it.

[Link],426 --> [Link],426 [speaker_3]

... can initiate or not.

[Link],456 --> [Link],626 [speaker_1]

Initiate it on my end.

[Link],626 --> [Link],456 [speaker_3]

Initiate like back now.

[Link],356 --> [Link],396 [speaker_1]

Okay.

[Link],336 --> [Link],396 [speaker_3]

So, uh, yeah.

[Link],406 --> [Link],406 [speaker_1]

Mm-hmm.
[Link],416 --> [Link],916 [speaker_3]
If I want to initiate a tunnel from my end, then-

[Link],956 --> [Link],966 [speaker_1]

Uh-huh.

[Link],966 --> [Link],656 [speaker_3]

... I need to change the startup action, right?

[Link],816 --> [Link],056 [speaker_1]

Uh, yes. You need to change the startup action to s-

[Link],116 --> [Link],546 [speaker_3]

Okay.

[Link],816 --> [Link],335 [speaker_1]

Start, yeah.

[Link],406 --> [Link],556 [speaker_3]

Let me share my screen. (mouse clicking)

[Link],296 --> [Link],516 [speaker_1]

Oh, yeah.

[Link],576 --> [Link],786 [speaker_3]

Should be able to... Can you see my screen?

[Link],816 --> [Link],376 [speaker_1]

Uh, yes, it is visible.

[Link],396 --> [Link],306 [speaker_3]

Okay. So let's repair the tunnel.

[Link],306 --> [Link],676 [speaker_1]

Yeah, modify the tunnel options. Yeah. Can you scroll up a bit? Uh, just once. Uh, okay.

[Link],856 --> [Link],896 [speaker_3]

So we accept everything, any- anything?

[Link],956 --> [Link],825 [speaker_1]

Okay, it's default. Okay.

[Link],856 --> [Link],196 [speaker_3]

Yeah, it's default. So we just change this data-

[Link],376 --> [Link],605 [speaker_1]

Yeah.

[Link],605 --> [Link],496 [speaker_3]

... as start to-

[Link],536 --> [Link],566 [speaker_1]

Start. Yes.

[Link],635 --> [Link],635 [speaker_3]

Okay.

[Link],836 --> [Link],665 [speaker_1]

Yeah, you have to choose that. Select that option.

[Link],536 --> [Link],915 [speaker_3]

Okay. (mouse clicking) (thumping sound) (mouse clicking) Um. (mouse clicking) Kab kadha
hua?

[Link],956 --> [Link],216 [speaker_4]

Pata nahi. Ain't over vi nahin kar sakta.

[Link],376 --> [Link],556 [speaker_3]

Kyun?

[Link],276 --> [Link],376 [speaker_4]

Kitne zare cases hain, kaun engineer milega? Dekho. 125 cases sare hain, 6 live contacts hain,
saare engineers pade bechare. Koi nahi hand over ke liye. Hand over bhi nahi kar sakta.

[Link],456 --> [Link],766 [speaker_3]

From SI to on-prem? From...

[Link],766 --> [Link],056 [speaker_1]

Mm. Yeah, if possible, try to initiate some traffic.

[Link],196 --> [Link],356 [speaker_3]

Okay. (mouse clicking)

[Link],456 --> [Link],175 [speaker_1]

Because I'm... Currently, I am not able to see logs because you just recently modified the
tunnel,
so it will take time for me to generate the logs. (mouse clicking) Okay. Startup action, I'll add.
[Link],256 --> [Link],956 [speaker_3]
Okay, yeah.

[Link],936 --> [Link],116 [speaker_1]

Oh wait, it came up. Yeah, but I would not be able to see log for a few more minutes. Let me-

[Link],276 --> [Link],396 [speaker_3]

Yeah, we're waiting for that. (mouse clicking)

[Link],544 --> [Link],444 [speaker_1]

Checkpoint is in responder mode.

[Link],984 --> [Link],884 [speaker_5]

Yeah.

[Link],024 --> [Link],704 [speaker_1]

Checkpoint is in initiator mode or in responder mode?

[Link],584 --> [Link],723 [speaker_0]

I'm having a DPD timeout.

[Link],824 --> [Link],364 [speaker_1]

DPD timeout. Okay. Means Checkpoint is not responding to the phase one. So is it like
Checkpoint
is in initiator mode or is in responder mode?

[Link],884 --> [Link],744 [speaker_0]

Let's wait for Hafiz. Try again.

[Link],343 --> [Link],384 [speaker_5]

So we are making traffic but since like we are having DPD timeout.

[Link],824 --> [Link],544 [speaker_0]

You try to ping away.

[Link],604 --> [Link],924 [speaker_5]

I try to ping also.

[Link],324 --> [Link],324 [speaker_0]

You three. You three. You try to ping to what IP?

[Link],364 --> [Link],843 [speaker_5]

One two four dot one one.
[Link],284 --> [Link],843 [speaker_6]
Seven forty three.

[Link],124 --> [Link],364 [speaker_0]

Not receiving it.

[Link],364 --> [Link],223 [speaker_5]

Not receiving it. Okay.

[Link],233 --> [Link],384 [speaker_1]

Okay. I can see phase one came up again.

[Link],424 --> [Link],004 [speaker_5]

Yeah. Came up and then down. Stability.

[Link],064 --> [Link],873 [speaker_0]

Now from me I can see its up.

[Link],924 --> [Link],243 [speaker_5]

Oh, up.

[Link],124 --> [Link],233 [speaker_1]

In that time. Let's say I could see.

[Link],233 --> [Link],723 [speaker_5]

I need to connect from open with Rajendra. Is that you then?

[Link],884 --> [Link],834 [speaker_1]

Yeah, I need your help to connect again to... where?

[Link],864 --> [Link],404 [speaker_5]

To the other one. <|1 year . It's not working, huh? Okay. Look, I'm supposed to be-

[Link],944 --> [Link],964 [speaker_0]

Right now for your um... for your phase one and phase two inscription or this thing, right?
You set all you put specific.

[Link],684 --> [Link],924 [speaker_5]

All on.

[Link],944 --> [Link],404 [speaker_1]

For specific. If Ahmad if you want to put a specific sider on this IP side on AWS,
you would not be able to edit this. You might-- yeah. We won't be able to edit the configuration.
[Link],264 --> [Link],483 [speaker_5]
Oh, yeah.

[Link],554 --> [Link],664 [speaker_1]

If you want to-- if you want to start the connection, then we cannot put a special IP here. Yeah.
You have to delete this VPN connection or either create a new one.

[Link],684 --> [Link],483 [speaker_5]

So if you want to initiate then we cannot put the special IP here. We only put any, any.

[Link],544 --> [Link],674 [speaker_1]

Yeah.

[Link],084 --> [Link],264 [speaker_5]

Okay.

[Link],424 --> [Link],094 [speaker_1]

If, if there is no any other traffic is going via this VPN connection and as you said,
it's already in the DR site so you can make the change.

[Link],044 --> [Link],124 [speaker_5]

Shafy, take over, I want to pray.

[Link],184 --> [Link],584 [speaker_6]

Okay. Okay. Okay. So we are doing the outflow free product from the same source.
We can connect to this destination and put it in the chat. So I try to tell that to see

[Link],023 --> [Link],894 [speaker_5]

Idiots katang. (whispering)

[Link],924 --> [Link],404 [speaker_1]

Idiots katang. Idiots. (whispering)

[Link],684 --> [Link],813 [speaker_6]

Walnut

[Link],813 --> [Link],154 [speaker_1]

Walnut? <|1 year . One year old.

[Link],154 --> [Link],404 [speaker_6]

One year old.

[Link],414 --> [Link],424 [speaker_1]

Manan has brought it. Don't eat it. I will not bring it for you. I said whatever you eat,
spit it out. Are you feeling bitter? No. Then it's fine. If you are feeling bitter.

[Link],444 --> [Link],954 [speaker_6]

How can it be a year old?

[Link],954 --> [Link],674 [speaker_1]

Anjan, my life.

[Link],674 --> [Link],724 [speaker_5]

Hey, life. Life.

[Link],784 --> [Link],263 [speaker_1]

Look, I was giving scenarios for you. Do you know where it is? Let me open this class and see.
I cannot do it. There is no connection modifying or anything

"Okay, so here is the thing, Josh. I've updated the case with the information, so I'll be sending
you an email with the details.

So, I think, uh, we need to know where the application is because that is the application which is
using the SSO from the Identity Center.

So, if you can, uh, inform on the case, if you would be able to find where the application is
residing. So, according to that, we can plan, like, uh, if we need to proceed with the manual
rotation of the certificate, or if we need to proceed with the new application setup.

So, it's totally up to you. Uh, just keep me updated on the case so I can manage accordingly.

Yeah, I think you need to have a check on your Notion, if there is any application details, or I'm
not sure if the other person is there or not who set up these things. So, if you can check on the
Notion.

I'll be also trying to find the application, if I can find, through the logs or something. But, I don't
think it would be that simple.

So, if you can just check from your end, if you can find the application detail, and if you can
provide it, so we can proceed with the certificate rotation.

Yeah, so it is, it is not, uh, using any external IDP, it is using its own Identity Center. So, if you
can find the application that is associated with that Identity Center, then it is an easy job for us.

Yeah, I'll be waiting for your response on the case.

Okay. Thank you, Josh. Bye-bye.”

"I am currently looking at the account **6482**, and in this account, there is no identity center
active. There is no Amazon SSO configured.

So, in the original account, the **9105** one, this is where the identity center resides. And in
this, currently, the only thing active is the **AWS Access Portal**. And it seems that it is using
the **default identity source**, which is the **AWS SSO itself**.

So, that is why it is not, uh, using a third-party IDP like an Azure or an Okta or any of the third-
party ones.

Okay, so the current setting is that it is using **AWS Directory Service** with a **default
directory**. And the authentication is happening through its **default identity source**.

So, as we were discussing, we just need to, uh, if you, uh, check with the team, if there is a
problem, or if there is no problem, so the easy solution would be just to **rotate the metadata
certificate** of the application.

So, if you are able to find, uh, the other account where the application is there, then we can
**download the metadata** from there and **upload it** in the original account to fix the
problem.

But, if there is an urgent need, then, as we discussed, we'll have to **create a new application**
and set up the whole process again.

So, it's totally up to you. If you want to proceed with the first solution, we can wait for the team to
respond, or if you want to proceed with the second solution, then we can start the work on
**creating a new application** and setting up the SSO and the access.

Uh, can you confirm that the application is there in the other account? And in this account, the
application is not there.

Okay, so I think, uh, we need to know where the application is.

So, as we see, there is no application here in the **6482** account. So, where is the application
residing?

So, if you can ask your team, where is the application?

Okay, so no worries. I think the issue is not that simple.

Okay, I'll update the case with the information that the Identity Center is active on the **9105**
account.
Yeah, it's currently using the **default identity source**, which is the **AWS SSO itself**.

And there are no applications registered here.

Okay, no problem. If you can provide the application details on the case, I'll be updating you on
the things.

Yeah, I'll update the case and I'll send you an email on the case.

Okay, thank you, Josh. Bye.”

"Yeah, just one there. I didn't see.

Yeah, I didn't see center. This exists. It only, the identity center only exists in our regular
account.

Yeah, if in this account it doesn't exist. Yeah, for all the other accounts it seems to have one.
The identity center is active here, but there are no applications inside it.

Okay. I mean this one is not that account. Yep, they're not the same account. I'm looking at the
HGM management account right now, but it has...

By the way, any chance would you be able to get that information? In which account you have
the AWS SSO setup?

Um, it was set up a long time ago by people who aren't here anymore. I might be some, I might
be able to try ask around a few more people on their notion. Because we simply need to just
rotate that certificate from the Identity Center. Yeah. Yeah. So that is, uh, that would be the
same step. You will just generate the new metadata from the Identity Center and upload it here
on your original account. And again disassociating things, subnets and associating, so you
would be able to get connect. Earlier we thought like it is using an external IDP like Azure or
Google, but it has its own, it's using its own AWS SSO. Yeah. Well, I suppose we'll check the
log and see what we can find. You are to check that. Otherwise if there was an external IDP,
then there was no issue, but there are multiple AWS account. So you're not sure in which
account the SSO is there. All right. Well, I suppose we'll check the log and see if we can figure
something out. Yeah, or else, uh, yeah. Okay, no problem. You can just check if you don't found
or you will not be able to found then the another solution is to create a new application. Uh
yeah. Yeah, that is another way to have the client be up and running. Yeah. Sure. Okay. Okay,
so no issues. Uh okay, I'll be just managing this case throughout the time. So you can just
update on the case if you would be able to found or not. So accordingly we can plan like if you
want to proceed with the new application setting up or not, so all the things. Okay, sounds good.
Yeah. Okay. Sure. I'll just provide you the brief on the case, what we checked and what we
found. So... Okay, so I think we can conclude this call for now, Josh. Are you okay? Yeah.
Yeah. Just let me know if you would be able to find that thing so we can then there is an easy
job, we just we'll just need to rotate the certificate. That's it. Sounds, sounds good. Thanks.
Okay, sure. Yeah. No problem. Okay, bye. Thank you, Josh.”
Transcription result
Smart actions
This call at 6pm today.
Okay. For 6pm okay. For 6pm I would not be there. My shift will be over around four. So I need
to hand over then this case to another engineer.
Not a problem. Just give me a second. What is your time on Monday?
Monday would be the same. 9am to 4pm Sorry, I think my shift is getting changed from Monday.
So I would not be available on Monday. I'll be available from Tuesday to Saturday.
Sunday.
No, I need to hand over them.
Okay. Tomorrow you are available Saturday. No. Right? Yeah. Okay.
So like what is the context? Like what is the issue?
Context is like the traffic is not coming through.
Okay.
So I need to get some information. That is what I'm waiting. Can we set up this call at 3:30 if
your shift is ending, that's fine. 4:30. 3:30 before it's fine.
Okay. In the meantime. Yeah, 3:30 then that would be the same. After 4 I need to hand over.
Then you don't need to give all the information to another engineer. So that would with the case.
So. So if you want me to troubleshoot something, I can do it after the call as well. There is no
issue. You can just provide me the details like resources on AWS which are trying to, you know,
reach on Prem. So I can just. Yeah, so I can do it offline also and provide you the update on the
case before the shifts.
Okay, so give me a second. Let me try to. What? We can do that. Yeah, I need couple of time
for this.
So we can. What we can do is we can schedule it for tomorrow and maybe another engineer
from the AWS will join the call.
I don't think that will be fantastic.
Yeah. So you can tell me the time.
Not tomorrow, on Monday.
Okay, on Monday. What time?
Monday at 11am.
Monday, 11am Yeah, 11am Is available.
Yes. Yeah, apologies because. Because I need some time for this to get some information.
Then I'll come back to you guys. That is fine, right?
You can reach out anytime. There is no issue.
Okay. Okay. Yeah. Thank you guys. I'll. I'll connect you back.
Okay, thank you. Thank you so much Yash for joining. Thank you. Kidnapade ublawa under
daldia basavi chalutundiknao.
Fry garlic and.

Not yet. I was just checking, and I think it’s fine for those two weeks as well. The routing looks
fine for these three weeks too. I might suspect that the traffic is getting dropped somewhere.
Is it because the traffic isn’t traversing over the DX? Otherwise, it should be visible in the DX
attachments or flow logs. It’s leaving Alibaba Cloud, but somewhere in the middle, it’s getting
dropped and not reaching AWS.

Let me check if I can find any logs. If I find something, can you email me back on this case?

Yeah, sure.

Okay. I think if I get something from the backend, I’ll put it on the case. If you get any updates,
just let me know.

I’ll update and close it once done.

Okay, sure. Thank you.

Thank you. AWS Direct Connect is already connected.

Okay. Hello? +1 021920025. Windows support, Active Directory, Windows right side, Windows.
Okay.

Enterprise applications, EAP. Okay. Bye.

From AWS side I think there is something much more you can check. Let me see the
attachment metrics. There is anything dropped on getting dropped on attachments.
Okay. From Alibaba side. Actually I'm able to see both in and out. Hello.
Yes.
Yeah, so this is. Okay, this is from Alibaba side. So just looking like source of destination.
Anything. Anything over here. See, I'm able to see like both in and out. It's already gone from
here. If you see here I can see both in, out, everything. Like if it is in only working means it
should only show me in, right?
Monica
Monica Audio to Text
0
Transcription result
Smart actions
From AWS side I think there is something much more you can check. Let me see the
attachment metrics. There is anything dropped on getting dropped on attachments.
Okay. From Alibaba side. Actually I'm able to see both in and out. Hello.
Yes.
Yeah, so this is. Okay, this is from Alibaba side. So just looking like source of destination.
Anything. Anything over here. See, I'm able to see like both in and out. It's already gone from
here. If you see here I can see both in, out, everything. Like if it is in only working means it
should only show me in, right?
Yeah.
Here I can see both in, out. Everything is in accepted as well.
Okay, but if that is the case, why it is not reaching? Ew.
Just keep in a minute. I can see something from answer Kitty. Looks right now. I think sprinting.
My screen.
Okay.
Okay. You started receiving the logs?
Yes, this. This is.
Okay, just type it in the filter first. Source ID and space destination. I.
Just.
It's 93 I think 239. Just refresh the filter. Set it to 30 minutes. This 1080 is already only getting
advertised on this. There is no other before which it is.
I don't think so. 1084, right?
Yeah.
Okay. We have multiple.
Yeah. Okay. There. That is not issue. It is multiple VLANs or leaves. Traffic should to come over
here.
This again initial anything when we are doing something. Uhhuh. Because anyway there is
some kind of outing with this person. That's the reason why when we are doing the dump over
itunes.
And so for this NRT region, you have only one virtual interface right over dx.
On which one?
On like between Alibaba like your on Prem and aws we have.
We have multiple.
For nrd. I'm seeing only one. There are interfaces in AP South. In AP south there are other
interfaces.
Yeah. Okay.
That is. This is a different configuration than it is attached with Trying to transit virtual. Just try to
initiate pink again this pectoral again with the source and machine.
Over here.
Traffic it's not itself is not reaching here on the DX attachment. This one is the current working,
right or non working.
So non working one.
It. I think the route or traffic is getting dropped in between them before reaching to aws.
It might drop from the provider side.
There are two things like traffic itself. Because if traffic is getting dropped on the provider side.
Right Then from the working for the. For the working it will not work because for that you are
also using the same interface or virtual interface. Right. So I think this is something on the
instance Level which is not allowing traffic to leave the instance.
But if okay from. From Alecloud if it is moved, leaving means I won't be able to get in that VPC
product for Maliclav side, Right? But some people follow them getting things like both in and out
and everything is accepted as well because it's the same same IP which I'm trying. Everything
is. Because I think so. So from Ali cloud side I think we are good. Why? Because it's like it's
coming like we are able to see the things as well. And it is leaving from Aliflor as well. But it is
not reaching aws. So some kind of routing issue happening from AWS side is something which
I'm suspecting as well.
This is NDX obtain 85. It will take direct column 10.18. Just filter that flow logs have been See if
we would have received any traffic on attachments.
This is the test one we have, right?
Yeah, right. That is. I think that is the weakness. You are type one because first the traffic will
land on that. No, not the. Because the traffic from on Prem will.
First I was here. It's coming to VPC attachment All. All the traffic.
Yeah, you can see the source attachment. Source attachment is your dx, right?
Okay.
That is your source attachment. So the first traffic will land on this attachment and then it will go
to your VPC attach. Don't know why traffic for 180 is not reaching Deal. It is getting advertised
over the. Can you share me these two whiffs? Just go back to that virtual interface again NRT
region.
The one which I have shared with you previously.
No, the earlier two which you have. Which. Yeah, this. This Below two. Below two. Yeah, this to
share. Let me see what is the routing in this? Also. Received. This one associated with cmdx.
Just allow me a few minutes. I'll change this to this.
Yes, sure. Can I give.
Sure. Yeah. Okay.

SPK_1
1:20
There is much more you can check.

SPK_1
1:23
Let me see the attachment matrix.

SPK_1
1:27
If there is anything dropped on.

SPK_1
1:28
Getting dropped on attachments.

SPK_2
3:01
Okay.

SPK_2
3:01
From Alibaba side.

SPK_2
3:02
Actually I'm able to see both in and out.

SPK_2
3:10
Hello.

SPK_1
3:12
Yes.

SPK_2
3:14
Yeah, so this is.

SPK_2
3:15
Okay, this is from Alibaba side.

SPK_2
3:18
So just looking like source of destination.

SPK_2
3:20
Anything.

SPK_2
3:20
Anything over here.

SPK_2
3:22
See, I need to see like both in and out.

SPK_2
3:25
It's already born from here.

SPK_2
3:28
If you see here I can see both in, out.

SPK_2
3:32
Everything.

SPK_2
3:34
Like if it is in only working means it should only show me in, right?

SPK_1
3:39
Yeah.

SPK_2
3:39
Here I can see both in, out.

SPK_2
3:41
Everything is in accepted as well.

SPK_1
3:53
If that is the case, why it is not reaching aws?

SPK_2
4:21
Just keep in mind.

SPK_2
4:52
Okay, thank you.

SPK_2
6:11
I can see something from answer KP logs right now.

SPK_2
6:16
I think printing.

SPK_2
6:19
I'm just sharing my screen.

SPK_2
6:20
Yeah.

SPK_2
6:22
Okay.

SPK_2
6:23
So.

SPK_1
6:25
Okay, you started receiving the logs.

SPK_2
6:28
Yes, but this.

SPK_2
6:33
This is not type.

SPK_2
6:35
You can.

SPK_1
6:36
Okay, just type it in the filter first.

SPK_1
6:39
Source IP and space destination.

SPK_1
6:40
I.

SPK_1
7:31
Just refresh the filter.

SPK_1
7:32
Set it to 30 minutes.

SPK_1
8:05
This 10:1.

SPK_1
8:06
It is already only advertonic getting advertised on this.

SPK_1
8:10
If there is no other before which it is.

SPK_2
8:14
I don't think so.

SPK_2
8:16
1085, right?

SPK_1
8:18
Yeah.

SPK_2
8:22
Okay.

SPK_2
8:23
1085 is from under.

SPK_2
8:27
We have multiple.

SPK_1
8:30
Okay, okay.

SPK_1
8:31
There.

SPK_1
8:31
That is not issue.

SPK_1
8:33
It is multiple VLAN for a week.

SPK_1
8:38
Traffic should come over here.

SPK_2
8:41
This again initiate when we are doing.

SPK_2
8:47
Because anyway there is some kind of counting, which is possible.

SPK_2
8:51
That's the reason why when we are doing the dump over.

SPK_1
8:57
So for this NRT region, you have only one virtual interface, right?

SPK_1
9:03
Over DX.

SPK_2
9:06
On.

SPK_2
9:06
On which one?

SPK_1
9:07
On.

SPK_1
9:08
Like between Alibaba.

SPK_1
9:10
Like your on Prem and aws.

SPK_2
9:12
We have.

SPK_2
9:13
We have multiple.

SPK_1
9:16
For nrt I'm seeing only one.

SPK_1
9:21
And there are interfaces in ap.

SPK_1
9:28
In AP south there are other interfaces.

SPK_1
10:02
Okay.

SPK_1
10:02
That is.

SPK_1
10:04
This is a different configuration.

SPK_1
10:06
Then it is fine.

SPK_1
10:07
It will attach with different transit virtual.

SPK_1
10:24
Just try to initiate ping again.

SPK_1
10:26
This filter here again with the source.

SPK_2
10:31
Over here.

SPK_1
10:43
Traffic it's not itself is not reaching here on the DX attachment.

SPK_1
11:10
This one is the current working, right?

SPK_1
11:12
Or non working.

SPK_2
11:15
So non working.

SPK_2
11:36
It's.

SPK_1
12:02
The route or traffic is getting dropped in between them.

SPK_1
12:05
Before reaching to aws.

SPK_2
12:09
It might drop from the provider side.

SPK_1
12:15
There are two things like traffic itself.

SPK_1
12:18
Because if traffic is getting dropped on the provider side, right?

SPK_1
12:22
Then from the working for the.

SPK_1
12:26
For the working it will not work.

SPK_1
12:28
Because for that you are also using the same interface or virtual interface, right?

SPK_1
12:34
So I think this is something on the instance level which is not allowing traffic to leave the
Instance.

SPK_2
12:44
Okay.

SPK_1
12:44
From.

SPK_2
12:44
From any cloud if it is moved easing means I won't be able to get again that VPC product from
Ali cloud side.

SPK_2
12:50
Right.

SPK_2
12:51
But some people follow them getting things like both in and out and everything is accepted as
well.

SPK_2
13:00
Because it's the same same IP which I'm trying.

SPK_2
13:03
Everything is.

SPK_2
13:31
Because I think so from Ali cloud side.

SPK_2
13:33
I think we have goodbye because it's like it's coming like we are able to see the things as well.

SPK_2
13:40
And it is leaving from aliplor as well.

SPK_2
13:42
But it is not creating a reposal.

SPK_2
13:45
Some kind of routing issue happening from AWS side is something which I'm suspecting as
well.

SPK_1
14:11
This is NDX obtain 85.

SPK_1
14:17
It will take direct 180.

SPK_1
14:31
Just filter that flow logs again.

SPK_1
14:34
Let's see if would have received received any traffic on attachments.

SPK_2
15:04
No, This is the attachment we have, right?

SPK_1
15:45
Yeah.

SPK_1
15:45
Right.

SPK_1
15:47
That is.

SPK_1
15:47
I think that is the VPC attachment.

SPK_1
15:52
Because first the traffic will land on that dx.

SPK_1
16:04
No, not the VP attachment.

SPK_1
16:06
Because the traffic from on Prem will first.

SPK_2
16:12
Here it's coming to VPC attachment.

SPK_2
16:16
All.

SPK_2
16:17
All the traffic.

SPK_1
16:20
Yeah.

SPK_1
16:20
You can see the source attachment.

SPK_1
16:22
Source attachment is your dx, right?

SPK_2
16:25
Okay.

SPK_1
16:26
That is your source attachment.

SPK_1
16:32
So the first traffic will land on this attachment and then it will go to your VPC attachment.

SPK_1
16:46
Don't know why traffic for 180 is not reaching till it is getting advertised over the.

SPK_1
16:58
Can you share me these two whiffs?

SPK_1
17:02
Just go back to that virtual interface again NRT region.

SPK_2
17:10
The one which I have shared with you previously.

SPK_1
17:13
No, the earlier two which you have.

SPK_1
17:15
Which.

SPK_1
17:16
Yeah, this this.

SPK_1
17:17
Below two.

SPK_1
17:19
Below two?

SPK_1
17:20
Yeah, yeah, this too.

SPK_1
17:23
Let me see what is the routing in this Also.

SPK_1
18:39
This one is associated with cx.

SPK_1
18:46
Just allow me a few minutes.

SPK_1
18:48
I'll chat this to you.

SPK_2
18:51
Yes, sure.

SPK_2
18:52
Can I give.

SPK_2
18:53
I'll just take your voice and come.

SPK_1
18:55
Sure.

SPK_1
18:55
Yeah.

SPK_2
18:56
Okay.

SPK_2
18:59
It.

This is the two VLANs with the 24 I think yeah yeah okay 10, 1, 3, 0 and 5 okay And for the
working VPN, which route are you advertising? [Link]. [Link], okay. [Link], okay. Route
received on DX, it's 10.1. All right, okay, let me check the VPN. this VPN is present in different
account it's in or it's in the same okay it's in the same zero oh just a few minutes I'll go through
the configuration hmm 10, 12, 13, 14, 15.