By default, instances that we launch into an Amazon VPC can't communicate with our on-prem network. We can enable access to our network from the VPC by creating an AWS managed Site-to-Site VPN connection, and configuring routing to pass traffic through the connection.
A single Site-to-Site VPN connection consists of two VPN tunnels between a single customer gateway device and a transit gateway or virtual private gateway.
When we have Primary and Secondary tunnel configured with BGP on AWS, ASA may send the traffic via Tunnel-1 and the return traffic may arrive at Tunnel-2 which causes asymmetric routing and the return traffic gets dropped by ASA for obvious reasons.
When we use an active/active configuration, AS_PATH prepend and Local-Preference can be used to tolerate asymmetric routing.
Configure AS-PATH prepend to manipulate traffic coming into your AS. Configure local-pref to manipulate the outgoing traffic. So, Tunnel-1 is used for both outgoing and incoming traffic.
ASA Configuration snippet
route-map LOCAL-PREF permit 10 set local-preference 200 route-map PATH-PREPEND permit 10 set as-path prepend 64660 64660 router bgp 64660 address-family ipv4 unicast neighbor 169.254.15.1 remote-as 64600 neighbor 169.254.15.1 timers 10 30 30 neighbor 169.254.15.1 activate neighbor 169.254.15.1 route-map LOCAL-PREF in neighbor 169.254.15.5 remote-as 64600 neighbor 169.254.15.5 timers 10 30 30 neighbor 169.254.15.5 activate neighbor 169.254.15.5 route-map PATH-PREPEND out network 10.10.0.0 no auto-summary no synchronization
Thanks for reading
As always, your feedback and comments are more than welcome.