Accepted Solutions
To manage routing across redundant Site-to-Site VPN tunnels to AWS over VPN (using VTI interfaces on an FTD firewall, it's not intuitive. It’s buried deeply under a false flag of “filtering”.
First, to build the route-map in Advanced Configuration → Smart CLI → Objects.
First, add a Standard Access List to permit all subnets you wish to affect when advertised to the BGP neighbors across the VPNs. You only need to list the subnets to match, since DENY is implicit at the end.
Next, create a Policy List:
- Then, create the Route Map:
- Finally, configure the neighbors in the BGP Routing Object.
Below is an example of how this looks in FDM under Routing → BGP → BGP Object:Weight
Above, you can see that there’s a weight of 2000 on the primary/first VPN tunnel BGP peer. This tells this firewall to prefer the first tunnel over the other since BGPs top priority for decision-making is weight. (NOTE: Local-preference doesn't do anything here because it's AS-based, but weight will, since it's host-based.)AS_PATH Prepending attribute
Above, you can see how AS_Path Prepending is applied using a route-map (BGP_Outbound_AS-PATH-Prepend_RouteMap and direction out). Note the neighbor referenced here is the BGP neighbor of the second VPN tunnel, not the first. This helps influence AWS to lower the priority of this VPN tunnel, instead preferring to route traffic over the first tunnel.
Obviously, only AWS Support can tell you if this is actually working, but it appears to in our work.
To manage routing across redundant Site-to-Site VPN tunnels to AWS over VPN (using VTI interfaces on an FTD firewall, it's not intuitive. It’s buried deeply under a false flag of “filtering”.
First, to build the route-map in Advanced Configuration → Smart CLI → Objects.
First, add a Standard Access List to permit all subnets you wish to affect when advertised to the BGP neighbors across the VPNs. You only need to list the subnets to match, since DENY is implicit at the end.
Next, create a Policy List:
- Then, create the Route Map:
- Finally, configure the neighbors in the BGP Routing Object.
Below is an example of how this looks in FDM under Routing → BGP → BGP Object:
Above, you can see that there’s a weight of 2000 on the primary/first VPN tunnel BGP peer. This tells this firewall to prefer the first tunnel over the other since BGPs top priority for decision-making is weight. (NOTE: Local-preference doesn't do anything here because it's AS-based, but weight will, since it's host-based.)
Above, you can see how AS_Path Prepending is applied using a route-map (BGP_Outbound_AS-PATH-Prepend_RouteMap and direction out). Note the neighbor referenced here is the BGP neighbor of the second VPN tunnel, not the first. This helps influence AWS to lower the priority of this VPN tunnel, instead preferring to route traffic over the first tunnel.
Obviously, only AWS Support can tell you if this is actually working, but it appears to in our work.
