01-20-2015 07:26 PM - edited 03-11-2019 10:22 PM
Hi,
Anyone tried the new traffic zones feature in ASA 9.3.2? ASA can now have several active ISPs and will load balance connections between them.
It seems limited and I have several concerns before putting it in production:
- Does not seem to support 2 unequal bandwidth connections!
The ASA does not consider the interface bandwidth or other parameters when load balancing. You should make sure all interfaces within the same zone have the same characteristics such as MTU, bandwidth, and so on. The load-balancing algorithm is not user configurable.
Other limitations:
- Do not configure other services (such as VPN or Botnet Traffic Filter) for interfaces in a traffic zone; they may not function or scale as expected.
- Interface PAT is not supported.
Would appreciate feedback from anyone testing this. Thanks,
Patrick
02-23-2015 04:37 PM
Hi Patrick! Did you end up using the "Traffic Zones" feature and if yes what is your feedback?
Thanks!
09-25-2015 04:51 AM
Last post is six months old. Code is now up to 9.51. Anyone using "traffic zones" on a day to day basis? Experiences?
09-25-2015 09:13 AM
Hi,
Are you seeing some issues with the implementation or have some specific queries for the same ?
Also , you can check the PBR feature as well for this.
Thanks and Regards,
Vibhor Amrodia
09-25-2015 09:19 AM
I need IPSEC and load balancing. I don't even want to go down the path if others have had bad experiences with it. I checked with Cisco at the beginning of the year and they indicated that with version 9.42 they were schedule to support IPSEC and Zones. However, there never was a 9.42 version and they went directly to 9.51. And thanks for your response.
09-25-2015 09:29 AM
Hi,
I think you can use PBR on ASA for the same.
Zone still does not support IPSEC tunnels.
Thanks and Regards,
Vibhor Amrodia
02-24-2015 10:01 PM
In my experience, ASA9.3.x seems to be a CPU hogger and is not stable. I've tested ASA9.3.x with average 70~80Mbps internet traffic on 5515-X, it would work fine for a day or two and start dropping all traffic.
Downgraded to ASA9.2.2 and never experienced issues during testing, with same traffic, CPU utilization is lessthan 40%.
Traffic Zone is useful for DMZ server traffic, apart from this few ACL + NAT rules compared to interface based rules.
Eby
03-18-2015 10:51 AM
Hi, all
We are using Traffic Zones in conjuction with the BGP.
The network design is quite simple:
- two Cisco ASA 5525-X in A/A configuration with the several contexts;
- our own AS connected to the two ISP with the help of 30 Mbit/sec uplinks;
- we are receiving default routes from the both providers and some of their prefixes;
- we are announcing our own /24 prefix to the Internet
Traffic Zones is the right thing to use, if you want to solve "routing asymmetry" when the BGP is deployed on the Cisco ASA.
Regards,
Victor
03-02-2017 06:32 AM
@vICTOr_2003, found this post through google search. I am doing a similiar multiple context with traffic zones setup. However I am not sure how reliable the NAT or PAT for outbound traffic would work with traffic zones. You mentioned that you peer BGP with ISPs, but do your do PAT for user northbound traffic to Internet OR you have another firewall doing those south of the edge ASA?
Thanks,
/S
03-03-2017 12:42 AM
We are using a PAT for some of our internal hosts on the ASA with BGP and traffic zones and not experiencing any problems.
03-03-2017 05:05 AM
Cool, on your context with dual ISP, do you create two dynamic pat rules for internal hosts using each isp public IP address? Is it PAT pool or just address?
03-03-2017 09:53 AM
Sorry for the wrong information, we are using NAT, not PAT :(
PAT is NOT supported with ASA and Traffic Zones, only NAT.
You can read about it here - http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html#31341
03-03-2017 10:43 AM
Okey. so you do not use any dynamic NAT, just 1to1 or identity NAT? If so, how does your user traffic to Internet?
06-02-2018 07:21 PM
I have read the traffic zones documentation a few times before finding this thread. The guide only mentioned not to configure services for interfaces inside the zone. Can we configure services on the zone or NAT VPN traffic to and inside interface? Clients are looking to load balance their ISP connections without having to buy extra gear.
Does anyone have an example configuration for VPN and or SSL VPN using Traffic Zones? I couldn't figure it out how to make it work in version 9.8.
Can an ASA be configured to load balance two or more ISP connections and still terminate a tunnel?
03-13-2018 04:49 AM
Hi Experts
Can this zone feature support tagged VLAN interfaces created out of a Port-Channel on a ASA cluster running on Firepower 9300?
Regards,
Sumanta.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide