Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1541
Views
0
Helpful
4
Replies

ASA 5508 Redundant routes via VPN VTI interface do not work with just different metrics, and cannot setup SLA for VTI

Roman T
Level 1
Level 1

‎06-16-2020 08:27 AM

Dear people, my post was deleted from Security/VPN, so I am hoping to find advice here.

 

I have a single Cisco ASA 5508, configured ikev2 IPSEC tunnel into AWS using VTI (virtual tunnel interfaces). Both tunnels work and traffic can flow via both of them, but only when one of the tunnels is online. That is a problem - I cannot make both tunnels to be connected, only one can be enabled. There is no routing protocols configured on my ASA (i.e. BGP or OSPF).

 

AWS provides 2 tunnel links, it would be nice to setup both of them to have redundancy.

Because it would be nice, but not critical, I do not want to introduce a lot of complex config into my Cisco ASA 5508.

 

My first attempt was to follow AWS guide and setup two routes with different metrics.

 

route tunnel-vti-1 10.0.0.0 255.255.255.0 123.123.1.22 100
route tunnel-vti-2 10.0.0.0 255.255.255.0 123.123.11.25 200

Tunnels are connected, I think traffic goes out from Cisco to AWS, but I suspect split routing occurs on AWS side, and traffic does not return. So it does not work. Then I randomly made it work by adding `track 5` for the first route:

route tunnel-vti-1 10.0.0.0 255.255.255.0 123.123.1.22 100 track 5
route tunnel-vti-2 10.0.0.0 255.255.255.0 123.123.11.25 200

I did not configure any SLA though. It worked for a week, then stopped. So I had to remove second route completely.

I tried configuring SLA, but SLA can only be configured for physical interfaces, not virtual Tunnel interface.

 

 

Here is link to AWS if it helps

https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-static-routing-examples.html

My ASA version is 9.8(2)38

1 person had this problem
Labels:
0 Helpful
4 Replies 4

ngkin2010
Level 7
Level 7

‎06-16-2020 09:30 AM - edited ‎06-16-2020 09:31 AM

  Hi,

 

You may run into a scenario that going out on Tunnel #1, but returning Tunnel #2. This asymmetric routing caused the packet dropped by ASA by default. You may confirm this situation by viewing on firewall log - see if any "Denied (TCP no connection)".

 

If that is the case, the simplest solution is to confirm which is the primary tunnel in the view of AWS. Then use it to forward traffic to AWS.

 

You can't control how AWS returning packet to your ASA, but you could check when both tunnels are in active state, which of it is the primary one. If the packets are returning on Tunnel #2, then Tunnel #2 is the primary tunnel. You simplest configure the static route to AWS over Tunnel #2 with lower metric. So, it migrated the asymmetric routing problem.

 

But it's may not dynamic enough, there is no guarantee if AWS somehow swapped to use another tunnel as primary.

 

So, BGP is most preferred in your case. But it may invoke a little bit complex configuration. That's the trade off to you. 

0 Helpful

Georg Pauwen
VIP
VIP

‎06-16-2020 09:36 AM

Hello,

 

the ASA does equal cost load balancing for up to eight static routes, so in theory, the below should be sufficient:

 

route tunnel-vti-1 10.0.0.0 255.255.255.0 123.123.1.22
route tunnel-vti-2 10.0.0.0 255.255.255.0 123.123.11.25

 

You could also configure traffic zones:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/interface-zones.html

0 Helpful

ngkin2010
Level 7
Level 7
In response to Georg Pauwen

‎06-16-2020 09:43 AM

Hi Georg,

Zoning seems not allowed on VTI. So Roman would still have to deal with the asymmetric route problem if using ECMP.

Ref:
You can add the following types of interfaces to a zone:
- Physical
- VLAN
- EtherChannel
- Redundant
0 Helpful

Roman T
Level 1
Level 1
In response to Georg Pauwen

‎06-17-2020 02:01 AM

@Georg Pauwen wrote:

the ASA does equal cost load balancing for up to eight static routes, so in theory, the below should be sufficient:

 

route tunnel-vti-1 10.0.0.0 255.255.255.0 123.123.1.22
route tunnel-vti-2 10.0.0.0 255.255.255.0 123.123.11.25

Unfortunately this did not work, It would try to add second route with same metric:

> ERROR: Cannot add route entry, conflict with existing routes
if I add with different administrative distance/metric, I will have my original problem.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card