ASA VTI to VPC Transit Gateway dual active tunnels (non BGP)

0

Following the tutorial here: https://docs.aws.amazon.com/vpc/latest/adminguide/cisco-asa-vti-no-bgp.html, I have dual tunnels to AWS, terminating at a Transit Gateway.

As both tunnels are active, I see traffic leaving on tunnel 1 and returning on tunnel 2. This results in the error 'Deny TCP (no connection)' on the ASA tunnel 2 interface. Traffic does not pass successfully to the client on the inside of the ASA.

Is there some config missing from the guide that allows this to work, or can the transit gateway be configured to use only one tunnel at a time?

Disabling one of the tunnels allows traffic to pass to the client on the inside of the ASA.

Thanks, John.

Edited by: johnnsmith on Feb 19, 2020 7:36 AM

asked 4 years ago651 views
4 Answers
0
Accepted Answer

Pat Kerpan from Cohesive Networks here.

Happy to have someone more TGW knowledgeable to tell different than this - I would encourage them to join in.

That said, our experience is that there is currently no specific way to know which of your two VTI routed tunnels is considered the primary and which is the secondary WITHOUT looking at traffic like you have done.

Since the traffic is "coming back" over tunnel 2 - then tunnel 2 is actually your primary. The answer is to change your static routes metrics in the ASA config so your current tunnel 2 is the primary and tunnel 1 is the secondary.

OR more potentially troublesome - and may not be within your organization's policies - allow asymmetric routing such that the ASA will allow traffic to go "up" one tunnel and come back "down" the other.

I would recommend trying to change your static routes.

answered 4 years ago
0

Hi Pat,

Thanks for taking the time to help me out. This was indeed the issue. Swapping the metric on the routes has solved the problem.

I've since realised that this ASA supports BGP. Am I correct in thinking I can use this to allow the devices to agree upon the primary route for traffic (rather than me manually adjusting the metric)?

Thanks again,

John.

answered 4 years ago
0

Pat Kerpan from Cohesive Networks here.

Not officially a Cisco person....but we test our security controllers (VNS3) against ASA(-X)'s in our lab.

Short answer - yes.

With BGP configs you have to configure "ASN" distance on the ASA side - where you configure the number of hops to the primary vs. the secondary.

(To our experience don't use BGP over VTI on ASA until 9.8+ software revision, but that is highly anecdotal on our part)

answered 4 years ago
0

Thanks again, Pat. We're using version 9.12 and we're up and running with BGP.

All the best,

John.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions