ASA 5580 --sizing the state link

Unanswered Question
Dec 10th, 2009
User Badges:

does anybody have any hard & fast rules or 'rule of thumb' type guidlines for how big the state links have to be with an ASA 5580 running multiple contexts ?   For example as you add more contexts, you are of course firewalling more traffic --how does this impact how big your state links should be.


We are currently debating whether or not our state links should be 10g , or if 1g will suffice ;  our "firewalling" interfaces are 1g, but we have a mulit-context design that should be scaleble.  thanks for any input

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Thu, 12/10/2009 - 08:49
User Badges:
  • Cisco Employee,

Yes. Our config guide link clearly talks about it. Pls. refer here:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051759


Failover Interface Speed for Stateful Links

If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.

Use the following failover interface speed guidelines for Cisco PIX security appliances and Cisco ASA adaptive security appliances:

Cisco ASA 5520/5540/5550 and PIX 515E/535

The stateful link speed should match the fastest data link

Cisco ASA 5510 and PIX 525

Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.

For optimum performance when using long distance LAN failover, the latency for the failover link should be less than 10 milliseconds and no more than 250 milliseconds. If latency is more than 10 milliseconds, some performance degradation occurs due to retransmission of failover messages.

All platforms support sharing of failover heartbeat and stateful link, but we recommend using a separate heartbeat link on systems with high Stateful Failover traffic.


-KS

qslrcisco Thu, 12/10/2009 - 09:25
User Badges:

thanks for the response!

even though the document does not specifically refer to the ASA 5580, I will assume the same general rule does apply --if the state link matches the fastest firewall interface, we should be OK.

Kureli Sankar Thu, 12/10/2009 - 09:40
User Badges:
  • Cisco Employee,

Here is the config. guide for 8.1.x ASA5580: http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/failover.html#wp1051759


For Cisco ASA 5580 adaptive security appliances, stateful link speed can be 1 Gigabit with a 10 Gigabit data interface, but only non-management ports should be used for the stateful link because management ports have lower performance and cannot meet the performance requirement for stateful failover.


-KS

Actions

This Discussion