By using AWS re:Post, you agree to the Terms of Use

Site-to-Site VPN


Hello Experts,

Please see attached diagram.

As quoted by AWS DOC "When we perform updates on one VPN tunnel, we set a lower outbound multi-exit discriminator (MED) value on the other tunnel. If you have configured your customer gateway device to use both tunnels, your VPN connection uses the other (up) tunnel during the tunnel endpoint update process."

is this not going to cause asymmetric routing again if MED value changed ?

Note: Customer end going to be Cisco ASA

Thanks Enter image description here

1 Answers

You would not use MED on the CGW (Cisco), also please note the below statements from the documentation. Weight, LP and AS Path are all evaluated before MED. Ideally the CGW should support Active-Active tunnels with Asymmetric routing enabled, however if it does not then use AS Path prepending and Local preference.

To ensure that the up tunnel with the lower MED is preferred, ensure that your customer gateway device uses the same Weight and Local Preference values for both tunnels (Weight and Local Preference have higher priority than MED).

AWS strongly recommends using customer gateway devices that support asymmetric routing.

For customer gateway devices that support asymmetric routing, we do not recommend using AS PATH prepending, to ensure that both tunnels have equal AS PATH. This helps to ensure that the multi-exit discriminator (MED) value that we set on a tunnel during VPN tunnel endpoint updates is used to determine tunnel priority.

For customer gateway devices that do not support asymmetric routing, please use AS-path-prepending and Local-Preference to prefer one tunnel over the other

profile picture
answered 14 days ago
  • Even AS prepending that would only for inbound traffic. MED tweaks are for outbound traffic hence not sure how that helps.

    For example - In case I do AS prepended (Customer Router) on top peering that will make bottom peering preferred, but for outbound MED will stay play same role and that would be unpredicted in case of maintenance. Sorry it might be my wrong way of visualizing :)

  • You are correct, that is why AS Path prepending is not recommended. Best practice is that CGW should use Active-Active Tunnels with Asymmetric routing supported, don't prefer 1 tunnel over the other because if you do that then AWS tunnel endpoint replacement maintenance would cause issues with traffic preferred on that 1 tunnel. You would use AS-path only if you must have Active-Active tunnels (both Up) but the CGW does not support Asymmetric routing.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions