06-16-2020 08:27 AM
Dear people, my post was deleted from Security/VPN, so I am hoping to find advice here.
I have a single Cisco ASA 5508, configured ikev2 IPSEC tunnel into AWS using VTI (virtual tunnel interfaces). Both tunnels work and traffic can flow via both of them, but only when one of the tunnels is online. That is a problem - I cannot make both tunnels to be connected, only one can be enabled. There is no routing protocols configured on my ASA (i.e. BGP or OSPF).
AWS provides 2 tunnel links, it would be nice to setup both of them to have redundancy.
Because it would be nice, but not critical, I do not want to introduce a lot of complex config into my Cisco ASA 5508.
My first attempt was to follow AWS guide and setup two routes with different metrics.
route tunnel-vti-1 10.0.0.0 255.255.255.0 123.123.1.22 100 route tunnel-vti-2 10.0.0.0 255.255.255.0 123.123.11.25 200
Tunnels are connected, I think traffic goes out from Cisco to AWS, but I suspect split routing occurs on AWS side, and traffic does not return. So it does not work. Then I randomly made it work by adding `track 5` for the first route:
route tunnel-vti-1 10.0.0.0 255.255.255.0 123.123.1.22 100 track 5 route tunnel-vti-2 10.0.0.0 255.255.255.0 123.123.11.25 200
I did not configure any SLA though. It worked for a week, then stopped. So I had to remove second route completely.
I tried configuring SLA, but SLA can only be configured for physical interfaces, not virtual Tunnel interface.
Here is link to AWS if it helps
https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-static-routing-examples.html
My ASA version is 9.8(2)38
06-16-2020 09:30 AM - edited 06-16-2020 09:31 AM
Hi,
You may run into a scenario that going out on Tunnel #1, but returning Tunnel #2. This asymmetric routing caused the packet dropped by ASA by default. You may confirm this situation by viewing on firewall log - see if any "Denied (TCP no connection)".
If that is the case, the simplest solution is to confirm which is the primary tunnel in the view of AWS. Then use it to forward traffic to AWS.
You can't control how AWS returning packet to your ASA, but you could check when both tunnels are in active state, which of it is the primary one. If the packets are returning on Tunnel #2, then Tunnel #2 is the primary tunnel. You simplest configure the static route to AWS over Tunnel #2 with lower metric. So, it migrated the asymmetric routing problem.
But it's may not dynamic enough, there is no guarantee if AWS somehow swapped to use another tunnel as primary.
So, BGP is most preferred in your case. But it may invoke a little bit complex configuration. That's the trade off to you.
06-16-2020 09:36 AM
Hello,
the ASA does equal cost load balancing for up to eight static routes, so in theory, the below should be sufficient:
route tunnel-vti-1 10.0.0.0 255.255.255.0 123.123.1.22
route tunnel-vti-2 10.0.0.0 255.255.255.0 123.123.11.25
You could also configure traffic zones:
06-16-2020 09:43 AM
06-17-2020 02:01 AM
@Georg Pauwen wrote:the ASA does equal cost load balancing for up to eight static routes, so in theory, the below should be sufficient:
route tunnel-vti-1 10.0.0.0 255.255.255.0 123.123.1.22
route tunnel-vti-2 10.0.0.0 255.255.255.0 123.123.11.25
Unfortunately this did not work, It would try to add second route with same metric:
> ERROR: Cannot add route entry, conflict with existing routes
if I add with different administrative distance/metric, I will have my original problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide