Im not sure if loadbalancing would address this challenge
We have vpn connections to amazon web sevices (aws). I'm inquiring this as a result of some limitation of aws vpn.
We have two isp both active, but only one default route at any given time. But this doesn't mean that the second isp can't pass traffic out and receive traffic in from that interface. Due to this nature, if we go in and create a customer gateway (aws term for vpn peer) pointing to our second isp, a tunnel will form (active) in that second isp. AWS now has two vpn active tunnel with the same remote local network. When a host in our local network sends traffic to vpc (this is aws network), our firewall will use the tunnel formed in the primary isp. But since there's also a tunnel active in our second isp, there are times aws/vpc sends the return traffic to that second isp tunnel, resulting to a security association mismatch. To prevent that sporadic connection issue, we took out the customer gateway (aws term for vpn peer) pointing to our secondary isp and remove that tunnel-group from our firewall so that there will be only one path. The challenge now is, in the event of primary isp outage, we loose our vpn connection but we still have internet connection being served by the second isp. We want to leverage this second isp to form the backup tunnel during such event. But will not be used during normal operation (both isp are up).
I got this response from aws support.
"At the moment the AWS VPC would return the traffic down all the active VPNs and cannot be bound to a specific VPN.
This could have been achieved using the BGP by changing the AS_PATH parameter but since Cisco's ASA does not support the BGP, this cannot be done in this case."
I'm thinking of some sort of loadbalacing or does asa has any other solution that will address this? Or any solution that will meet aws requirement (does asa supports BGP)?