asa5520s share load

Answered Question
Jun 21st, 2009
User Badges:

Greeting


I have configure active/active failover on two boxes.


but, It looks two active/standy add togother. (subnet 1 traffic go to first asa5520 and subnet 2 traffic go to second asa5520).


If possible I can setup one subnet share the load on both asa5520s? If so, how can I do it?


Any comments will be apprecaited


Thanks in advance


Correct Answer by dhananjoy chowdhury about 7 years 9 months ago

ASA5520 datasheet states throughput upto 450Mbps and for vpn its 225Mbps, so when you are designing the solution you should consider the existing network setup and also the volume of growth for future.


In your case its a multi context setup, so it won't support VPN's ,dynamic routing, so you have need not worry of using these features in future.


However, sometimes you may experience high traffic/ firewall resource utilisations due to some malwares or performing VA scans via firewall


To avoid such situations,

Configure the firewall to perform anti-spoofing, prevent dos attacks by limiting/ controlling simultaneous connections/sessions.

Here is a Cisco link for preventing Network attacks.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
dhananjoy chowdhury Mon, 06/22/2009 - 21:57
User Badges:
  • Silver, 250 points or more

ASA does not provide load balancing by itself. Load balancing must be handled by a router / load balancer ( upstream or downstream) to forward traffic to the desired ASA device in the cluster.


However, on ASA active/active setup, at any point of time one particular context will be active on only one firewall and standby on the other firewall. So at any point of time you are forwarding traffic to the active context only.

julxu Mon, 06/22/2009 - 22:16
User Badges:

great thanks for the reply.


if there is no load sharing, could you please advice, if there is anywhere to avoid traffic bottleneck?


any comments will be apprecaited


thanks in advance



Correct Answer
dhananjoy chowdhury Tue, 06/23/2009 - 03:18
User Badges:
  • Silver, 250 points or more

ASA5520 datasheet states throughput upto 450Mbps and for vpn its 225Mbps, so when you are designing the solution you should consider the existing network setup and also the volume of growth for future.


In your case its a multi context setup, so it won't support VPN's ,dynamic routing, so you have need not worry of using these features in future.


However, sometimes you may experience high traffic/ firewall resource utilisations due to some malwares or performing VA scans via firewall


To avoid such situations,

Configure the firewall to perform anti-spoofing, prevent dos attacks by limiting/ controlling simultaneous connections/sessions.

Here is a Cisco link for preventing Network attacks.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

Actions

This Discussion