Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
1
Helpful
4
Replies

Converting Cisco ASA from active/standby to active/active

OlayinkaRookie
Level 1
Level 1

‎02-08-2024 10:22 AM

Hello all,

We're currently running a pair of 5555X in active/standby mode and have recently started seeing CPU utilization as high as 93% during peak period. We're considering changing the failover mode to active/active to see if we can share the load among the 2 physical firewalls and hopefully see reduced CPU utilization on the current active firewall. 

I'm curious to know if some of you here have implemented this and what challenges you faced. To give a little more context, we have over 450 AnyConnect users on this firewall, 4 IPSec VPNs, it's the primary internet edge device and it has a firepower module attached.

@spfister336

@balaji.bandi

 

 

Labels:
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-08-2024 11:56 AM

Active-Active on ASA is only applicable for multiple context mode whereby a given context(s) is/are Active on one firewall and other context(s) is/are Active on the other. If you don't have a use case for multiple context (most commonly used for multi-tenancy or other similar completely separate firewalls running on one device (or HA pair) then it generally would not help.

You should open a TAC case and resolve the CPU issue satisfactorily. That would be the right way to approach your issue.

0 Helpful

OlayinkaRookie
Level 1
Level 1
In response to Marvin Rhoads

‎02-08-2024 12:48 PM

Thanks Marvin.

We've opened multiple tickets with Cisco TAC and the conclusion is that the firewall is just processing a lot of traffic. That's why I added the extra details in my first post.

DATAPATH..that's the process that takes all of the CPU.

0 Helpful

MHM Cisco World
VIP
VIP
In response to OlayinkaRookie

‎02-08-2024 01:12 PM

You need license I think for multi context 

You can instead get new firepower and use it only for anyconnect' you mention 450 so these high numbers I think need dedicat fw.

MHM

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎02-09-2024 08:56 AM

adding to other post :

Try troubleshoot the issue and also make sure you have upgraded to latest stable version (that can fix any bugs and issue)

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113185-asaperformance.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents