Having looked at the specifications for the ASA-5520 on this page here (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html) I have the following key facts:
ASA 5520 Firewall Throughput: Up to 450Mbps
Maximum Firewall and IPS Throughput (SSM-20): Up to 375Mbps
If I were to run two ASA-5520s as a failover pair, and also load balance between them, would the maximum throughput potentially be 900Mbps (750Mbps with IPS)?
We are currently running an Active/Standby configuration between two 1Gbps LAN environments. However the firewall has become a bottleneck. If we were to upgrade this to an Active/Active configuration we believe this would give us much better throughput.
What load balancing methodologies would people advise?
Thanks in Advance
Solved! Go to Solution.
Please kindly be advised that ASA in Active/Active failover mode does not support traffic load balancing.
ASA Active/Active mode needs to be in multiple context mode, and you can have some context active on first ASA and some other context active on second ASA, however, you can not just load balance traffic within the same context.
Hope that makes sense.
I understand that we would need to move from Single Context to Multiple Context.
However does this allow me to simply have the contexts be exact replica's of each other? For example:
ASA1: Context-A Active, Context-B Standby
ASA2: Context-A Standby, Context-B Active
Where Context A and Context B hold identical firewall rules.
Thanks for your reply Jennifer.
I understand we would have to IP address two separate virtual firewalls (two subnets on the outside, and two on the inside).
Eg for the Outside configuration only:
ASA1 (Context A active, Context B standby):
ASA2 (Context A standby, Context B active):
Active IP = 192.168.3.1
Standby IP = 192.168.3.2
Active IP = 192.168.4.1
Standby IP = 192.168.4.2
Assume there are two switches, both trunked to each other and each with a single connection to a firewall. We could then use static routes from the Outside switches to the inside:
SW1---SW2 - Outside
SW3---SW4 - Inside
It would involve a lot of static routing as dynamic protocols are out in multicontext Active/Active configurations, but I believe it is possible to implement.
Thanks for your help.
Yes you are right. If they are completely separate context, you can definitely configure as per your diagram.
Common scenario would be managing multiple customers through the same physical ASA.
If you are managing 5 customers --> 5 contexts:
ASA1: Context-A (Active), Context-B (Active), Context-C (Active), Context-D (Standby) and Context-E (Standby)
ASA2: Context-A (Standby), Context-B (Standby), Context-C (Standby), Context-D (Active) and Context-E (Active)
What you would need to make sure is if one or the other ASA fails, the one ASA needs to be able to cope with the load for 5 contexts.
Say ASA-1 fails, ASA-2 has to be able to cope with all the 5 context being active on it.
"however, you can not just load balance traffic within the same context"
What you stated above is "technically" correct for existing code. However, with the upcoming release of new ASA code, code name "spiker", you WILL be able to load balancing traffics within the same context. At least, that's what I was told by a Cisco SE when I asked him about load-balancing. Currently
ASA load balancing is nothing but a gimmick. In other words, it is similarly to running multiple HSRP group in IOS.
By the way, Checkpoint has been doing load balancing within the same context for years with IPSO clustering or ClusterXL for years. I am glad to see Cisco is finally recognizing this. This will make things much easier for customers to migrate from Checkpoint over Cisco ASA platforms. If "spiker" can also add GRE tunnel to the ASA, that will be even better.