Cisco ASA - AWS Static VPN

Hi Folks,

I have a static site to site IPSec VPN configured between ASA and AWS. It is working fine. I have two issues:
1-SLA monitor fails to work. Even though I can ping the AWS interesting IP using private internal interface of ASA, same does not work in SLA configuration.

sla monitor 1
 type echo protocol ipIcmpEcho 172.27.0.20 interface INSIDE
 frequency 5
sla monitor schedule 1 life forever start-time now

I get these messages logged:

Mar 12 18:35:08 fwc-04p : %ASA-6-110003: Routing failed to locate next hop for icmp from NP Identity Ifc:10.1.253.14/0 to INSIDE:172.27.0.20/0

  1. The two public IPs on AWS are configured as primary and backup peers on ASA. Now, since the interesting traffic is same, how can both interfaces on AWS be up at the same time ever? Traffic will only go to fist one and to second if first one cannot be reached for some reason. And I keep getting emails from Amazon that second interface is down.

Hello Naresh,

There are quite some things that can cause this error.

What do you use on the AWS side?

Do you have a config example of the ASA and what you use on the AWS side? This can be related to routing or NAT.

Rene