AWS Transit Gateway with Cisco ASA Routing Issues

Question

Hello,  
  
We have setup a site to site VPN from our main office to and it's connected to our transit gateway in AWS.  I'm able to ping our main VPC instances over the VPN tunnel.  We have other accounts/VPC's that is connect to the transmit gateway but i am unable to ping those instances over the VPN.  I have added the new network in our Cisco VPN profile but as soon as i add it, i lose connection to the main VPC and the new VPC instance starts pinging.  It seems as if i'm only allowed to ping one VPC at a time.  I talked with Cisco and they said it's because my VPN is policy based and not route based.  Can anyone tell me how to create a route based VPN tunnel through the transit gateway or tell me if i'm missing a step?  
  
Thanks

Answer

Thanks for the response.  So we torn down the static VPN and we are using BGP or Dynamic.  When you setup a BGP tunnel, it keeps 2 tunnels active.  What we are seeing now, is that traffic is going through one tunnel and coming back through the other which is resulting in sometimes not being able to ping some devices in some VPCs.  Sometimes we can ping the device, sometimes we can't.  Cisco seems to think that it's on AWS side with traffic trying to come back through the other tunnel.  Have you seen this scenario?

Answer

Hi,  
an AWS site-to-site VPN tunnel is always route-based. You should configure the Cisco ASA end of the connection as route-based (https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214230-configure-policy-based-and-route-based-v.html). In AWS, you should set both the "Local IPv4 Network Cidr" and "Remote IPv4 Network Cidr" settings to 0.0.0.0/0.  
  
The reason why only one VPC is reachable at a time is that one AWS site-to-site VPN connection only permits one security association in each direction to be active at one time. When you configure a policy-based tunnel on the ASA with several IP networks configured in the encryption domain, the ASA will establish a separate security association for each combination of IP networks (traffic selectors) communicating over the tunnel.  
  
For example, if you have the CIDR blocks 10.12.0.0/16 and 10.45.0.0/16 configured for your VPCs, and the site-to-site VPN connects them to a a single on-premises CIDR block 10.240.0.0/16, then traffic from on premises to the first VPC will cause a security association to be established from 10.240.0.0/16 to 10.12.0.0/16. When traffic is attempted to the other VPC, the first pair of SAs will be torn down and new ones established between 10.240.0.0/16 and 10.45.0.0/16. That's the phenomenon you are seeing.  
  
When you configure a route-based VPN on the ASA, it will only establish one security association in each direction, with 0.0.0.0/0 on both sides of the tunnel. Regardless of how many VPCs and on-premises networks you have, they will all be reachable without having to establish additional SAs.  
  
Note that the cryptographic settings in the examples in Cisco's article are seriously weak. AWS site-to-site VPN supports the most secure settings recognised by the ASA.

AWS Transit Gateway with Cisco ASA Routing Issues

관련 콘텐츠