Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
879
Views
0
Helpful
5
Replies

VSS with two ASA service modules

Bojan Zivancevic
Level 1
Level 1

‎06-22-2015 06:53 AM - edited ‎03-08-2019 12:39 AM

I am trying to figure out the use cases for ASA-SM modules inside a VSS system. The only thing I see as a viable option is to use active/active failover  to make possible for both service modules to forward traffic. But then we have to use multiple contexts, separate data paths etc...

If we would use active/standby failover then effectively only one VSS chassis would forward the traffic that has to go through the firewall. This would deny the very purpose of VSS system - enabling both switches to forward the traffic.

 

Any thoughts on this? I have tried to find more information on this on the web without any real success.

Labels:
0 Helpful
5 Replies 5

marioderosa2008
Level 1
Level 1

‎06-22-2015 07:34 AM

ASA clustering comes to mind, but then i'm not sure if you can cluster ASA-SM's

 

I havent read it fully yet but check this link out... http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/catalyst-6500-series-7600-series-asa-services-module/data_sheet_c78-672507.html

 

It advises that you can cluster 10 service modules in VSS... but, as always, what specific feature do you want to use, because alot of features are not supported in clusters.

 

Mario

0 Helpful

Bojan Zivancevic
Level 1
Level 1
In response to marioderosa2008

‎06-22-2015 07:51 AM

Good idea, this would provide true active/active LB but it is not supported on ASA-SM. Only 5500-X appliances are. :(

0 Helpful

Bojan Zivancevic
Level 1
Level 1
In response to Bojan Zivancevic

‎06-22-2015 07:55 AM

I have to explain myself. I was talking about clustering ASAs and this indeed is not supported on ASA-SM.

Mario you are talking about VPN clustering which is supported (max 10 modules) but this is for VPN use, completely different thing. I need plain old routing and security through both VSS chassis'.

Again, good idea, too bad that SM cannot do ASA clustering.

0 Helpful

marioderosa2008
Level 1
Level 1
In response to Bojan Zivancevic

‎06-22-2015 08:24 AM

You might be able to achieve load balancing of outbound only traffic if you use a routing protocol on the inside to provide equal cost multipath routes and then have the ASA's NAT the outbound traffic so that the return traffic always comes back to the same ASA. (as they will be stand alone ASA's)

What about that?

It just means that you have to have routing devices on the inside of the ASAs...

Of course, if you want to load balance inbound traffic for hosted services, that will be very difficult.

Mario

0 Helpful

Bojan Zivancevic
Level 1
Level 1
In response to marioderosa2008

‎06-23-2015 07:58 AM

Well the whole problem comes from the fact I am using VSS. If I am using stand alone ASAs then it contrasts the operation of VSS. Not sure how it will behave. In general, service modules "behave" like they are outside of the chassis so it might work even without a failover mechanism in place between ASAs...

This is why I was searching for more details about VSS/ASA-SM combination. ASA config guide says "look for more details on this in VSS docs", and VSS (SUP-2T) config guide says "look it up inside ASA config guide". LOL! That's how Cisco doc sometimes is...

 

From all I see it looks to me as this combination is not a recommended one. Unless you don't mind using just one firewall module all the time. I never liked playing with the packets to traffic engineer between two ASA contexts. And this is mandatory if I want to use both modules at the same time.

 

0 Helpful
Customers Also Viewed These Support Documents