By default, instances that we launch into an Amazon VPC can't communicate with our on-prem network. We can enable access to our network from the VPC by creating an AWS managed Site-to-Site VPN  connection, and configuring routing to pass traffic through the connection.

A single Site-to-Site VPN connection consists of two VPN tunnels between a single customer gateway device and a transit gateway or virtual private gateway.

Diagram

Problem

When we have Primary and Secondary tunnel configured with BGP on AWS, ASA may send the traffic via Tunnel-1 and the return traffic may arrive at Tunnel-2 which causes asymmetric routing and the return traffic gets dropped by ASA for obvious reasons.

Solution

When we use an active/active configuration, AS_PATH prepend and Local-Preference can be used to tolerate asymmetric routing.

Configure AS-PATH prepend to manipulate traffic coming into your AS. Configure local-pref to manipulate the outgoing traffic. So, Tunnel-1 is used for both outgoing and incoming traffic.

ASA Configuration snippet

route-map LOCAL-PREF permit 10
 set local-preference 200
 
route-map PATH-PREPEND permit 10
 set as-path prepend 64660 64660


router bgp 64660
  address-family ipv4 unicast
    neighbor 169.254.15.1 remote-as 64600
    neighbor 169.254.15.1 timers 10 30 30
    neighbor 169.254.15.1 activate
    neighbor 169.254.15.1 route-map LOCAL-PREF in
    neighbor 169.254.15.5 remote-as 64600
    neighbor 169.254.15.5 timers 10 30 30
    neighbor 169.254.15.5 activate
    neighbor 169.254.15.5 route-map PATH-PREPEND out
    network 10.10.0.0
    no auto-summary
    no synchronization

Thanks for reading

As always, your feedback and comments are more than welcome.