topic Re: Asymmetric Flow on ASA5506 VTI tunnel interfaces VPN in Network Security

Asymmetric Flow on ASA5506 VTI tunnel interfaces VPN

om2010 — Mon, 08 Apr 2019 21:13:03 GMT

Hi,

I've configured an ASA 5506X with 2 VTI tunnel interfaces to a cloud provider, and I'm getting asymmetric routing (which is to be expected at times). Now, the issue I would like to solve is to tell the ASA to be able to perform stateful inspection across two different VTI tunnels. I've thought that I could use this :https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/conns-connlimits.html

for example to use a policy-map to do a TCP State Bypass, but what about UDP? And what about ICMP? Moreover, this doesn't work on VTI or at least I'm not sure how to do this on VTI interfaces. I'm using 9.8.x.

Any clue?

Re: Asymmetric Flow on ASA5506 VTI tunnel interfaces VPN

Mark Woollam — Wed, 14 Aug 2019 12:08:53 GMT

I have the same problem.

I'm thinking IP SLA or BGP rather than static routes so only one route is in the ASA's table at a time.

Would love to enable asymmetric across two VTI's though

Re: Asymmetric Flow on ASA5506 VTI tunnel interfaces VPN

om2010 — Wed, 14 Aug 2019 12:42:27 GMT

What I ended up doing is advertising a higher BGP cost over one tunnel versus the other (my scenario involved BGP so that worked for me). But it's IMO not ideal...

Re: Asymmetric Flow on ASA5506 VTI tunnel interfaces VPN

perpey — Fri, 14 Jul 2023 18:38:38 GMT

Hi Oliver, what do you mean by higher cost. I guess you prepend the ASPATH on VTI-1 and leave the defaults on the VTI-2?