topic Re: Need advice on converting ASAs from active/standby to active/active in Network Security

Need advice on converting ASAs from active/standby to active/active

spfister336 — Thu, 12 Nov 2020 19:53:02 GMT

We are using a pair of ASA 5585Xs in active/standby mode (single context, routed mode). We have a 6509e for our core switch, which connects directly to the ASAs, and the outside interfaces on the ASA connect to a single 3850 switch.

This setup has been working fine, but lately our bandwidth needs have been growing extremely rapidly. The active firewall seems to be struggling around 2.3 Gbps and by the time the inbound traffic gets to 3 Gbps network performance is very noticably degraded.

Since the ASA5585Xs are now about 2 years end-of-sale, we are in the process of ordering a pair of Firepower 4115s to replace them. These are going to take about 4 weeks before they arrive and can be installed. In the meantime, I need to find a temporary solution to alleviate the occasion network slow downs.

I've been looking into converting the active/standby setup to active/active, so that both can pass traffic. I think I understand the general idea of how the ASA config is done. My questions:

- when the config changes are done, will I be left with two contexts on both firewalls with nearly the identical configuration (except for the ip addresses)?

- with active/active firewalls, how is the load balancing actually done? A FHRP like GLBP?

I've also looked at ASA clustering, but it looks like we would need to purchase a license to do that, and everything ASA 5585X is end-of-sale, so I'm not sure where we would get one from.

Any easier alternatives to this to tide us over for the next 4 weeks would be greatly appreciated.

Thanks!

Re: Need advice on converting ASAs from active/standby to active/active

balaji.bandi — Thu, 12 Nov 2020 20:26:53 GMT

Personally, i do not believe it will resolve your bandwidth issue, Active / Active means active /standby per context.

That means Group A Active on FW1 / FW2 Standby GroupB FW1 Standby / FW2 Active.

yes correct you can use 2 devices, but they terminate at the same place of exit point right? what advantage you getting here.

not sure what SSP you have look at the below limitation ( you can have many contexts, but box capacity same.

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-730903.html

Re: Need advice on converting ASAs from active/standby to active/active

spfister336 — Thu, 12 Nov 2020 20:34:39 GMT

I don't think it's a bandwidth issue. I think it's a processor power issue. I'm just trying to spread the load between the two devices somehow. All of our interfaces are 10 GE and we have 5 Gbps upstream bandwidth. Both boxes have SSP-20s. I've thought about upgrading those, but they'd have to be used equipment and I'm not sure the customer would want to spread money to upgrade with the new firewalls on order.

Re: Need advice on converting ASAs from active/standby to active/active

balaji.bandi — Thu, 12 Nov 2020 21:24:12 GMT

Personally, i really do not see the advantage, kind of effort you trying to help customers. making them Active/Standby to Multi Context, required downtime and planning, by the time you do all prep work and maintenance window for this task. you will get a new kit arrived on site.

Until unless its a more pressing issue, you need to identify the bottleneck and manage the crisis, plan for code migration from ASA to FTB and plan ready for the new kit goes in as soon as it arrives.

If you still like to test - the best option you can easy way is to break the Active / Standby to new Standalone, Route the traffic by removing standby ASA make another standalone. this way you have less downtime

Not sure is this make sense / but i prefer to do this, rather re-do everything.

Re: Need advice on converting ASAs from active/standby to active/active

spfister336 — Thu, 12 Nov 2020 21:30:48 GMT

I'd rather not change anything before getting the new hardware in, but I also don't want to be getting daily complaints. I may try making them both standalone as you suggest. Currently, there is one static default route to the primary firewall address. Would I need to set up some sort of FHRP?

Re: Need advice on converting ASAs from active/standby to active/active

balaji.bandi — Thu, 12 Nov 2020 22:28:18 GMT

If you have NAT enabled, i prefer to split the load, with PBR and Failover Option.