Cisco ASA 5540 Active-Active Failover Resources

Unanswered Question
Mar 16th, 2010

Hi all,

I have a pair of ASA 5540 that I will be configuring for Active-Active Failover. I have some questions regarding the capacity of both firewalls when configured for Active-Active Failover.

Since the ASA 5540 supports 650 Mbps of throughput, will it be doubled to 1.3 Gbps using Active-Active Failover. Context 1 which is active on ASA 1 will get 650 Mbps and context 2 which is active on ASA 2 will get 650 Mbps. Is it possible.

Same goes for the maximum number of firewall sessions. 5540 supports 400,000 max sessions, in Active-Active arrangement does that increase, i mean context 1 on ASA 1 gets 400K session and context 2 ASA 2 gets 400 sessions.

Thanks & Regards

Zeeshan Sanaullah

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
KARUPPUCHAMY MA... Tue, 03/16/2010 - 23:05


When we are configuring context in ASA , we are sharing the existing resources only.t

A single ASA box(physical) will support max 400K sessions.if you have configured 10 context it doesn;t mean that it will support 10x400K sessions.

based on the resource allocation configuration in your ASA, the necessary resources will be allocated to your context.You can allocate number of interfces,memory size, connection details and storage etc..

If you have not configured anything it will take the default allocation class.

If you have configured Active - Active, the firewall will be used efficiently.Thats all.



Muhammad Zeesha... Wed, 03/17/2010 - 03:27


Lets make it a little simple. I have two ASA 5540 that I want to configure for Active-Active Failover. I have two contexts, CON1 and CON2.

CON1 is active on ASA 1 and CON2 is active on ASA2. Can ASA1 provide 650 Mbps to CON1 and Max sesson limit of 400K session and along the same time can ASA2 provide CON2 650 Mbps and Max session limit of 400K. Remember CON2 will be standby on ASA1 and CON1 will be standby on ASA2.

The reason why I am asking this is that. I need more Firewall throughput and sessions for the server farm. A single 5540 appliance provides 650 Mbps I need more aggregate throughput than this so can I use Active-Active failover for this



KARUPPUCHAMY MA... Wed, 03/17/2010 - 04:04


I got what you are trying to say.. But one thing you need to concentrate that, when you are going to configure active -active faiolver in ASA with two context it is ok.The way you are expecting, ASA will work.But more than 2 context,i dont think so..

But even if you are configuring active active failover, that time you need to check the resource allocation for the context's.




This Discussion