topic Thanks, everything is working in Network Security

per-session PAT and http replication in a failover (active/standby) pair

giuseppe parlato — Tue, 12 Mar 2019 04:33:10 GMT

Hi,

I have ASA 9.1(2) and I'd like to implement per-session PAT to improve pat scalability. Can someone confirm me that switching from multisession to per-session PAT will not cause any nat or connectivity temporary disruption ?

I'd also like to enable http connection table replication (right now I have a plain stateful failover). Implementing can (I don't think so I know) cause any temporary connectivity disruption ? furthermore the firewall has some cpu overload sometimes, will http replication increase firewall cpu usage ?

Thank you

Hello, As Cisco recommends

Julio Carvajal — Wed, 30 Jul 2014 23:50:45 GMT

Hello,

As Cisco recommends the Per-Session PAT should be used for hit-and-run traffic such as HTTP or HTTPS where you will avoing having the Xlate entry there for 30 seconds (default timeout) after the session is closed but it's not recommended for traffic like SIP so you will need to tweak the config to enable the feature only for what its needed.

In regards of the HTTP replication, there are not known issues about enabling this.

So do not worry about this 2 options.

Jcarvaja

CCIE 42930, 2xCCNP, JNCIS-SEC

For inmediate support http://iNetworks.cr

Thanks, everything is working

giuseppe parlato — Thu, 31 Jul 2014 16:26:08 GMT

Thanks, everything is working fine with no problems 🙂 and with no connectivity disruption as new commands where applied. What I noticed is xlate dynamic type entries decreasing but also connections decreasing, don't know why actually about the second one.

Hello, Excellent to hear that

Julio Carvajal — Thu, 31 Jul 2014 16:37:00 GMT

Hello,

Excellent to hear that.

Remember that the xlate entries will be cleared faster so you might not even be able to see them when you do a show xlate as the entry might be already deleted.

Regards