Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2648
Views
0
Helpful
6
Replies

ASA Throughput when load balancing

Go to solution
adsyparker
Level 1
Level 1

‎10-01-2010 02:57 AM - edited ‎03-11-2019 11:48 AM

Hi,

Having looked at the specifications for the ASA-5520 on this page here (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html) I have the following key facts:

ASA 5520 Firewall Throughput: Up to 450Mbps

Maximum Firewall and IPS Throughput (SSM-20): Up to 375Mbps

If I were to run two ASA-5520s as a failover pair, and also load balance between them, would the maximum throughput potentially be 900Mbps (750Mbps with IPS)?

We are currently running an Active/Standby configuration between two 1Gbps LAN environments.  However the firewall has become a bottleneck.  If we were to upgrade this to an Active/Active configuration we believe this would give us much better throughput.

What load balancing methodologies would people advise?

Thanks in Advance

Regards,

A

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to adsyparker

‎10-01-2010 04:21 AM

You can have the exact rules, however, you can't have the exact same subnet/interfaces.

Those 2 contexts (Context-A and Context-B) needs to be virtually a separate FW unfortunately. That's why I said, it's not load balancing traffic.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-01-2010 03:19 AM

Please kindly be advised that ASA in Active/Active failover mode does not support traffic load balancing.

ASA Active/Active mode needs to be in multiple context mode, and you can have some context active on first ASA and some other context active on second ASA, however, you can not just load balance traffic within the same context.

Hope that makes sense.

0 Helpful

Go to solution
adsyparker
Level 1
Level 1
In response to Jennifer Halim

‎10-01-2010 03:55 AM

Hi Jennifer,

I understand that we would need to move from Single Context to Multiple Context.

However does this allow me to simply have the contexts be exact replica's of each other?  For example:

ASA1: Context-A Active, Context-B Standby

ASA2: Context-A Standby, Context-B Active

Where Context A and Context B hold identical firewall rules.

Regards,

A

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to adsyparker

‎10-01-2010 04:21 AM

You can have the exact rules, however, you can't have the exact same subnet/interfaces.

Those 2 contexts (Context-A and Context-B) needs to be virtually a separate FW unfortunately. That's why I said, it's not load balancing traffic.

0 Helpful

Go to solution
adsyparker
Level 1
Level 1
In response to Jennifer Halim

‎10-01-2010 08:02 AM

Thanks for your reply Jennifer.

I understand we would have to IP address two separate virtual firewalls (two subnets on the outside, and two on the inside).


Eg for the Outside configuration only:


Outside

ASA1 (Context A active, Context B standby):

ASA2 (Context A standby, Context B active):

Context A

Active IP = 192.168.3.1

Standby IP = 192.168.3.2

Context B

Active IP = 192.168.4.1

Standby IP = 192.168.4.2


Assume there are two switches, both trunked to each other and each with a single connection to a firewall.  We could then use static routes from the Outside switches to the inside:

SW1---SW2  - Outside

|                |

|                |

ASA1---ASA2

|               |

|               |

SW3---SW4  - Inside

It would involve a lot of static routing as dynamic protocols are out in multicontext Active/Active configurations, but I believe it is possible to implement.

Thanks for your help.

Regards,


A

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to adsyparker

‎10-01-2010 10:20 PM

Yes you are right. If they are completely separate context, you can definitely configure as per your diagram.

Common scenario would be managing multiple customers through the same physical ASA.

Example:

If you are managing 5 customers --> 5 contexts:

ASA1: Context-A (Active), Context-B (Active), Context-C (Active), Context-D (Standby) and Context-E (Standby)

ASA2: Context-A (Standby), Context-B (Standby), Context-C (Standby), Context-D (Active) and Context-E (Active)

What you would need to make sure is if one or the other ASA fails, the one ASA needs to be able to cope with the load for 5 contexts.


Say ASA-1 fails, ASA-2 has to be able to cope with all the 5 context being active on it.

0 Helpful

Go to solution
cciesec2011
Level 3
Level 3
In response to Jennifer Halim

‎10-02-2010 06:41 AM

"however, you can not just load balance traffic within the same context"

What you stated above is "technically" correct for existing code.  However, with the upcoming release of new ASA code, code name "spiker", you WILL be able to load balancing traffics within the same context.  At least, that's what I was told by a Cisco SE when I asked him about load-balancing.  Currently

ASA load balancing is nothing but a gimmick.  In other words, it is similarly to running multiple HSRP group in IOS.

By the way, Checkpoint has been doing load balancing within the same context for years with IPSO clustering or ClusterXL for years.  I am glad to see Cisco is finally recognizing this.  This will make things much easier for customers to migrate from Checkpoint over Cisco ASA platforms.  If "spiker" can also add GRE tunnel to the ASA, that will be even better.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card