By default, instances that we launch into an Amazon VPC can't communicate with our on-prem network. We can enable access to our network from the VPC by creating an AWS managed Site-to-Site VPN connection, and configuring routing to pass traffic through the connection.
A single Site-to-Site VPN connection consists of two VPN tunnels between a single customer gateway device and a transit gateway or virtual private gateway.
Diagram
Problem
When we have Primary and Secondary tunnel configured with BGP on AWS, ASA may send the traffic via Tunnel-1 and the return traffic may arrive at Tunnel-2 which causes asymmetric routing and the return traffic gets dropped by ASA for obvious reasons.
Solution
When we use an active/active configuration, AS_PATH prepend and Local-Preference can be used to tolerate asymmetric routing.
Configure AS-PATH prepend to manipulate traffic coming into your AS. Configure local-pref to manipulate the outgoing traffic. So, Tunnel-1 is used for both outgoing and incoming traffic.
ASA Configuration snippet
route-map LOCAL-PREF permit 10
set local-preference 200
route-map PATH-PREPEND permit 10
set as-path prepend 64660 64660
router bgp 64660
address-family ipv4 unicast
neighbor 169.254.15.1 remote-as 64600
neighbor 169.254.15.1 timers 10 30 30
neighbor 169.254.15.1 activate
neighbor 169.254.15.1 route-map LOCAL-PREF in
neighbor 169.254.15.5 remote-as 64600
neighbor 169.254.15.5 timers 10 30 30
neighbor 169.254.15.5 activate
neighbor 169.254.15.5 route-map PATH-PREPEND out
network 10.10.0.0
no auto-summary
no synchronizationThanks for reading
As always, your feedback and comments are more than welcome.
