- Newest
- Most votes
- Most comments
Pat Kerpan from Cohesive Networks here.
Happy to have someone more TGW knowledgeable to tell different than this - I would encourage them to join in.
That said, our experience is that there is currently no specific way to know which of your two VTI routed tunnels is considered the primary and which is the secondary WITHOUT looking at traffic like you have done.
Since the traffic is "coming back" over tunnel 2 - then tunnel 2 is actually your primary. The answer is to change your static routes metrics in the ASA config so your current tunnel 2 is the primary and tunnel 1 is the secondary.
OR more potentially troublesome - and may not be within your organization's policies - allow asymmetric routing such that the ASA will allow traffic to go "up" one tunnel and come back "down" the other.
I would recommend trying to change your static routes.
Hi Pat,
Thanks for taking the time to help me out. This was indeed the issue. Swapping the metric on the routes has solved the problem.
I've since realised that this ASA supports BGP. Am I correct in thinking I can use this to allow the devices to agree upon the primary route for traffic (rather than me manually adjusting the metric)?
Thanks again,
John.
Pat Kerpan from Cohesive Networks here.
Not officially a Cisco person....but we test our security controllers (VNS3) against ASA(-X)'s in our lab.
Short answer - yes.
With BGP configs you have to configure "ASN" distance on the ASA side - where you configure the number of hops to the primary vs. the secondary.
(To our experience don't use BGP over VTI on ASA until 9.8+ software revision, but that is highly anecdotal on our part)
Thanks again, Pat. We're using version 9.12 and we're up and running with BGP.
All the best,
John.
Relevant content
- asked 3 years ago
- asked 5 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago