I've configured an ASA 5506X with 2 VTI tunnel interfaces to a cloud provider, and I'm getting asymmetric routing (which is to be expected at times). Now, the issue I would like to solve is to tell the ASA to be able to perform stateful inspection across two different VTI tunnels. I've thought that I could use this :https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/conns-connlimits.html
for example to use a policy-map to do a TCP State Bypass, but what about UDP? And what about ICMP? Moreover, this doesn't work on VTI or at least I'm not sure how to do this on VTI interfaces. I'm using 9.8.x.
What I ended up doing is advertising a higher BGP cost over one tunnel versus the other (my scenario involved BGP so that worked for me). But it's IMO not ideal...