ASA VPN VTI tunnels to AWS with Asymmetric BGP Routing

Hello Guys, Thanks for taking the time to read me.
I am new to VPN and I am in the process of learning VPN as I work for a local company and this architecture is absolutely amazing.
Nevertheless there are still some things I don’t understand. I do have a customer who presented the following concern:

We have a VTI tunnels(Primary and Secondary) with Mulesoft(AWS) and it looks like there is asymetric routing introdused by AWS.
Is there a way that we can permit that on the ASA firewall.
We looked at another option - to use BGP with prefix to force the AWS side not to use the asymmetric route - but not sure which is the better option.
attaching show tech - the VTI tunnels in question are :
interface Tunnel9
interface Tunnel10
interface Tunnel11
interface Tunnel12

First of all, I am not sure if the ASA will be able to handle Asymmetric routing through the VTI tunnels.

This is the version that my customer is using:
Cisco Adaptive Security Appliance Software Version 9.12(4)50
SSP Operating System Version 2.10(1.207)
Device Manager Version 7.18(1)152

I absolutely appreciate all the help you guys can provide me regarding this.

Hello Johan

It seems that your issue is not unique, which is great because you can rely on the experience and best practices that others have applied as well.

Doing a bit of research, I have found that when you have redundant VPN connections to AWS, asymmetric routing does take place. Communication that takes place via one tunnel is responded to via the other. The ASA drops such responses by default.

Yes, that is possible, however, when using BGP to influence the routing behavior for incoming traffic from the neighboring AS (AWS in this case), you must remember that the neighboring AS always has the last say. They can override any of your attempts to influence routing. Some attempts to do so may also be considered hostile by AWS and may go contrary to contractual obligations as well. Look at this NetworkLessons note on influencing incoming traffic using BGP.

Your best bet would be to talk with AWS and let them know what you’re trying to do, so that they can suggest a solution to you from their end. They may be able to adjust their routing to conform more to what you need. This may involve using BGP, but coordinating your efforts with them would be the best bet.

The following is another instance of this problem as described by a user that was resolved that may also be of help:

I hope this has been helpful!


1 Like

This has been extremely helpful. Thanks a lot for the response!

1 Like