Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
5
Helpful
3
Replies

asa5520s share load

Go to solution
julxu
Level 1
Level 1

‎06-21-2009 09:03 PM - edited ‎03-09-2019 10:23 PM

Greeting

I have configure active/active failover on two boxes.

but, It looks two active/standy add togother. (subnet 1 traffic go to first asa5520 and subnet 2 traffic go to second asa5520).

If possible I can setup one subnet share the load on both asa5520s? If so, how can I do it?

Any comments will be apprecaited

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dhananjoy chowdhury
Level 5
Level 5
In response to julxu

‎06-23-2009 03:18 AM

ASA5520 datasheet states throughput upto 450Mbps and for vpn its 225Mbps, so when you are designing the solution you should consider the existing network setup and also the volume of growth for future.

In your case its a multi context setup, so it won't support VPN's ,dynamic routing, so you have need not worry of using these features in future.

However, sometimes you may experience high traffic/ firewall resource utilisations due to some malwares or performing VA scans via firewall

To avoid such situations,

Configure the firewall to perform anti-spoofing, prevent dos attacks by limiting/ controlling simultaneous connections/sessions.

Here is a Cisco link for preventing Network attacks.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

View solution in original post

0 Helpful
3 Replies 3

Go to solution
dhananjoy chowdhury
Level 5
Level 5

‎06-22-2009 09:57 PM

ASA does not provide load balancing by itself. Load balancing must be handled by a router / load balancer ( upstream or downstream) to forward traffic to the desired ASA device in the cluster.

However, on ASA active/active setup, at any point of time one particular context will be active on only one firewall and standby on the other firewall. So at any point of time you are forwarding traffic to the active context only.

Go to solution
julxu
Level 1
Level 1
In response to dhananjoy chowdhury

‎06-22-2009 10:16 PM

great thanks for the reply.

if there is no load sharing, could you please advice, if there is anywhere to avoid traffic bottleneck?

any comments will be apprecaited

thanks in advance

0 Helpful

Go to solution
dhananjoy chowdhury
Level 5
Level 5
In response to julxu

‎06-23-2009 03:18 AM

ASA5520 datasheet states throughput upto 450Mbps and for vpn its 225Mbps, so when you are designing the solution you should consider the existing network setup and also the volume of growth for future.

In your case its a multi context setup, so it won't support VPN's ,dynamic routing, so you have need not worry of using these features in future.

However, sometimes you may experience high traffic/ firewall resource utilisations due to some malwares or performing VA scans via firewall

To avoid such situations,

Configure the firewall to perform anti-spoofing, prevent dos attacks by limiting/ controlling simultaneous connections/sessions.

Here is a Cisco link for preventing Network attacks.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents