ASA to AWS asymmetric routing - BGP


By default, instances that we launch into an Amazon VPC can't communicate with our on-prem network. We can enable access to our network from the VPC by creating an AWS managed Site-to-Site VPN  connection, and configuring routing to pass traffic through the connection.

A single Site-to-Site VPN connection consists of two VPN tunnels between a single customer gateway device and a transit gateway or virtual private gateway.



When we have Primary and Secondary tunnel configured with BGP on AWS, ASA may send the traffic via Tunnel-1 and the return traffic may arrive at Tunnel-2 which causes asymmetric routing and the return traffic gets dropped by ASA for obvious reasons.


When we use an active/active configuration, AS_PATH prepend and Local-Preference can be used to tolerate asymmetric routing.

Configure AS-PATH prepend to manipulate traffic coming into your AS. Configure local-pref to manipulate the outgoing traffic. So, Tunnel-1 is used for both outgoing and incoming traffic.

ASA Configuration snippet

route-map LOCAL-PREF permit 10
 set local-preference 200
route-map PATH-PREPEND permit 10
 set as-path prepend 64660 64660

router bgp 64660
  address-family ipv4 unicast
    neighbor remote-as 64600
    neighbor timers 10 30 30
    neighbor activate
    neighbor route-map LOCAL-PREF in
    neighbor remote-as 64600
    neighbor timers 10 30 30
    neighbor activate
    neighbor route-map PATH-PREPEND out
    no auto-summary
    no synchronization

Thanks for reading

As always, your feedback and comments are more than welcome.

Written by
Suresh Vina
Tech enthusiast sharing Networking, Cloud & Automation insights. Join me in a welcoming space to learn & grow with simplicity and practicality.
More from Packetswitch
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Packetswitch.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.