switch requirements for active/active failover configuration on ASA

DannyHuston · ‎01-24-2013

Hi all,

I have a basic setup of two 6509 chassis (non-VSS) with an etherchannel trunk between them. I have a pair of ASA 5585-X configured for active/standby (each appliance inside interface is connected to one 6509). I also have a pair of 3560E switches also an etherchannel trunk between them and the outside interfaces of each ASA connect to each. I want to explore active/active failover and what it can do for me. My questions:

1) does this mean I get the performance of both ASAs (meaning if one appliance handles max 2 million connections, would active/active permit 2 million to each appliance or would it still be just 2 million total?). Obviously I won't see combined throughput but am curious about the connection limit since theoretically I am now putting two appliances into use with active/active?

2) does the 6509 need to be configured for VSS in order for active/active to work properly on the ASA or can I still keep the 6509s configured as they are? How will packets going into one ASA to the switch will know how to get back to the same ASA if active/active? Likewise with the 3560E on the outside.

Thanks.

Julio Carvajal · ‎01-24-2013

1) does this mean I get the performance of both ASAs (meaning if one appliance handles max 2 million connections, would active/active permit 2 million to each appliance or would it still be just 2 million total?). Obviously I won't see combined throughput but am curious about the connection limit since theoretically I am now putting two appliances into use with active/active?

A/ Well that depends on the amount of traffic one context is using.

Example:

You have context A and B, and of course each of the ASA's is active for one. so you will split the amount of data between the 2 units so you can see the performance improvement

2) does the 6509 need to be configured for VSS in order for active/active to work properly on the ASA or can I still keep the 6509s configured as they are? How will packets going into one ASA to the switch will know how to get back to the same ASA if active/active? Likewise with the 3560E on the outside.

A/ I am not sure I get the whole picture of your desing but let me think.....................each interface on the failover group will have it's own virtual mac-address so that is where the switch will know where to send the packets back.

Let me know if you have any other question

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Michal Garcarz · ‎01-24-2013

1. yes, because both ASA are used at the same time, BUT: you have to remember that it's difficult to divide traffic by exactly 50% and assign it to context. Remember that you can manage resources assigned to contexts:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1195334

2. It depends on type of deployment. Usually you use separate interfaces in contexts (for example vlans). Even when you share interface between contexts you use "mac-address auto". Then the same shared interface has different MAC address in each context - and upstream/downstream switch do not have any problems switching traffic to separate mac address. So - you do not need VSS to have Active-Active working correctly.

---

Michal

david.tran · ‎01-24-2013

You need to keep this in mind:

ASA can only do Active/Active on a context basis. In other words, Active/Active in ASA similar to using HSRP with multiple HSRP group. Therefore, if you have a single source and single destination using different services such as http, https, ssh, telnet, it will bind to a single context and Active/Active will NOT help you.