Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1162
Views
0
Helpful
5
Replies

Need advice on converting ASAs from active/standby to active/active

spfister336
Level 2
Level 2

‎11-12-2020 11:53 AM

We are using a pair of ASA 5585Xs in active/standby mode (single context, routed mode). We have a 6509e for our core switch, which connects directly to the ASAs, and the outside interfaces on the ASA connect to a single 3850 switch.

 

This setup has been working fine, but lately our bandwidth needs have been growing extremely rapidly. The active firewall seems to be struggling around 2.3 Gbps and by the time the inbound traffic gets to 3 Gbps network performance is very noticably degraded.

 

Since the ASA5585Xs are now about 2 years end-of-sale, we are in the process of ordering a pair of Firepower 4115s to replace them. These are going to take about 4 weeks before they arrive and can be installed. In the meantime, I need to find a temporary solution to alleviate the occasion network slow downs.

 

I've been looking into converting the active/standby setup to active/active, so that both can pass traffic. I think I understand the general idea of how the ASA config is done. My questions:

- when the config changes are done, will I be left with two contexts on both firewalls with nearly the identical configuration (except for the ip addresses)?

- with active/active firewalls, how is the load balancing actually done? A FHRP like GLBP?

 

I've also looked at ASA clustering, but it looks like we would need to purchase a license to do that, and everything ASA 5585X is end-of-sale, so I'm not sure where we would get one from.

 

Any easier alternatives to this to tide us over for the next 4 weeks would be greatly appreciated.

Thanks!

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎11-12-2020 12:26 PM

Personally, i do not believe it will resolve your bandwidth issue, Active / Active means active /standby per context.

 

That means Group A  Active on FW1 / FW2 Standby GroupB FW1 Standby / FW2 Active.

 

yes correct you can use 2 devices, but they terminate at the same place of exit point right? what advantage you getting here.

 

not sure what SSP you have look at the below limitation ( you can have many contexts, but box capacity same.

 

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-730903.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

spfister336
Level 2
Level 2

‎11-12-2020 12:34 PM

I don't think it's a bandwidth issue. I think it's a processor power issue. I'm just trying to spread the load between the two devices somehow. All of our interfaces are 10 GE and we have 5 Gbps upstream bandwidth. Both boxes have SSP-20s. I've thought about upgrading those, but they'd have to be used equipment and I'm not sure the customer would want to spread money to upgrade with the new firewalls on order.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-12-2020 01:24 PM

Personally, i really do not see the advantage, kind of effort you trying to help customers. making them Active/Standby to Multi Context, required downtime and planning, by the time you do all prep work and maintenance window for this task. you will get a new kit arrived on site.

 

Until unless its a more pressing issue, you need to identify the bottleneck and manage the crisis, plan for code migration from ASA to FTB and plan ready for the new kit goes in as soon as it arrives.

 

If you still like to test - the best option you can easy way is to break the Active / Standby to new Standalone, Route the traffic by removing standby ASA make another standalone. this way you have less downtime

 

Not sure is this make sense / but i prefer to do this, rather re-do everything.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

spfister336
Level 2
Level 2

‎11-12-2020 01:30 PM

I'd rather not change anything before getting the new hardware in, but I also don't want to be getting daily complaints. I may try making them both standalone as you suggest. Currently, there is one static default route to the primary firewall address. Would I need to set up some sort of FHRP?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-12-2020 02:28 PM

If you have NAT enabled,  i prefer to split the load, with PBR and Failover Option.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card