Configuring Asymmetric Routing on AWS Tunnel Interface (Route-based) VPNs

Each AWS VPN connection has two VPN tunnels. By default, AWS is configured to automatically fail over to the second VPN tunnel if the first one fails or is down for maintenance. In some cases, the VPN tunnels are on active/active configuration, so be sure to configure your firewall to tolerate asymmetric routing.

This KB article assumes you've already built the AWS VPN tunnels from scratch or used our automated process: AWS Integration with SonicWall (SonicOS 6.5.X).

The term asymmetric routing refers to a packet or connection flow that takes different paths through the network in the forward and reverse directions. For example, a packet leaves the internal network interface (X18) destined for AWS tunnel interface 1 (T_vpn_00d331bd6c99d9895_0), but the server's response to that packet returns from AWS tunnel interface 2 (T_vpn_00d331bd6c99d9895_1). As a result, the packet is dropped by the firewall.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

To allow asymmetric routing on both AWS VPN tunnel interfaces:

1.  Navigate to Network | System | Interfaces, and edit the VPN Tunnel Interface | Advanced
   
2. Select "Enable Asymmetric Route Support"
3. Click OK.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

To allow asymmetric routing on both AWS VPN tunnel interfaces:

1. Navigate to Manage | Network | Interfaces, and edit the VPN Tunnel Interface | Advanced
   
2. Select "Enable Asymmetric Route Support"
3. Click OK.