Hi,Are you seeing some issues

Patrick Moubarak · ‎01-20-2015

Hi,

Anyone tried the new traffic zones feature in ASA 9.3.2? ASA can now have several active ISPs and will load balance connections between them.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html#65622

It seems limited and I have several concerns before putting it in production:

- Does not seem to support 2 unequal bandwidth connections!

The ASA does not consider the interface bandwidth or other parameters when load balancing. You should make sure all interfaces within the same zone have the same characteristics such as MTU, bandwidth, and so on. The load-balancing algorithm is not user configurable.

Other limitations:

- Do not configure other services (such as VPN or Botnet Traffic Filter) for interfaces in a traffic zone; they may not function or scale as expected.

- Interface PAT is not supported.

Would appreciate feedback from anyone testing this. Thanks,

Patrick

nspasov · ‎02-23-2015

Hi Patrick! Did you end up using the "Traffic Zones" feature and if yes what is your feedback?

Thanks!

Douglas Holmes · ‎09-25-2015

Last post is six months old. Code is now up to 9.51. Anyone using "traffic zones" on a day to day basis? Experiences?

Vibhor Amrodia · ‎09-25-2015

Hi,

Are you seeing some issues with the implementation or have some specific queries for the same ?

Also , you can check the PBR feature as well for this.

Thanks and Regards,

Vibhor Amrodia

Douglas Holmes · ‎09-25-2015

I need IPSEC and load balancing. I don't even want to go down the path if others have had bad experiences with it. I checked with Cisco at the beginning of the year and they indicated that with version 9.42 they were schedule to support IPSEC and Zones. However, there never was a 9.42 version and they went directly to 9.51. And thanks for your response.

Vibhor Amrodia · ‎09-25-2015

Hi,

I think you can use PBR on ASA for the same.

Zone still does not support IPSEC tunnels.

Thanks and Regards,

Vibhor Amrodia

Eby Mani · ‎02-24-2015

In my experience, ASA9.3.x seems to be a CPU hogger and is not stable. I've tested ASA9.3.x with average 70~80Mbps internet traffic on 5515-X, it would work fine for a day or two and start dropping all traffic.

Downgraded to ASA9.2.2 and never experienced issues during testing, with same traffic, CPU utilization is lessthan 40%.

Traffic Zone is useful for DMZ server traffic, apart from this few ACL + NAT rules compared to interface based rules.

Eby

vICTOr_2003 · ‎03-18-2015

Hi, all

We are using Traffic Zones in conjuction with the BGP.

The network design is quite simple:

- two Cisco ASA 5525-X in A/A configuration with the several contexts;

- our own AS connected to the two ISP with the help of 30 Mbit/sec uplinks;

- we are receiving default routes from the both providers and some of their prefixes;

- we are announcing our own /24 prefix to the Internet

Traffic Zones is the right thing to use, if you want to solve "routing asymmetry" when the BGP is deployed on the Cisco ASA.

Regards,

Victor

m1xed0s · ‎03-02-2017

@vICTOr_2003, found this post through google search. I am doing a similiar multiple context with traffic zones setup. However I am not sure how reliable the NAT or PAT for outbound traffic would work with traffic zones. You mentioned that you peer BGP with ISPs, but do your do PAT for user northbound traffic to Internet OR you have another firewall doing those south of the edge ASA?

Thanks,

/S

vICTOr_2003 · ‎03-03-2017

We are using a PAT for some of our internal hosts on the ASA with BGP and traffic zones and not experiencing any problems.

m1xed0s · ‎03-03-2017

Cool, on your context with dual ISP, do you create two dynamic pat rules for internal hosts using each isp public IP address? Is it PAT pool or just address?

vICTOr_2003 · ‎03-03-2017

Sorry for the wrong information, we are using NAT, not PAT :(

PAT is NOT supported with ASA and Traffic Zones, only NAT.

You can read about it here - http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html#31341

m1xed0s · ‎03-03-2017

Okey. so you do not use any dynamic NAT, just 1to1 or identity NAT? If so, how does your user traffic to Internet?

Joshua Wheaton · ‎06-02-2018

I have read the traffic zones documentation a few times before finding this thread. The guide only mentioned not to configure services for interfaces inside the zone. Can we configure services on the zone or NAT VPN traffic to and inside interface? Clients are looking to load balance their ISP connections without having to buy extra gear.

Does anyone have an example configuration for VPN and or SSL VPN using Traffic Zones? I couldn't figure it out how to make it work in version 9.8.

Can an ASA be configured to load balance two or more ISP connections and still terminate a tunnel?

Sumanta Ghosh · ‎03-13-2018

Hi Experts

Can this zone feature support tagged VLAN interfaces created out of a Port-Channel on a ASA cluster running on Firepower 9300?

Regards,

Sumanta.

ASA 9.3 traffic zones