ASA Throughput when load balancing

Answered Question
Oct 1st, 2010
User Badges:

Hi,


Having looked at the specifications for the ASA-5520 on this page here (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html) I have the following key facts:


ASA 5520 Firewall Throughput: Up to 450Mbps

Maximum Firewall and IPS Throughput (SSM-20): Up to 375Mbps


If I were to run two ASA-5520s as a failover pair, and also load balance between them, would the maximum throughput potentially be 900Mbps (750Mbps with IPS)?


We are currently running an Active/Standby configuration between two 1Gbps LAN environments.  However the firewall has become a bottleneck.  If we were to upgrade this to an Active/Active configuration we believe this would give us much better throughput.


What load balancing methodologies would people advise?


Thanks in Advance


Regards,


A

Correct Answer by Jennifer Halim about 6 years 5 months ago

You can have the exact rules, however, you can't have the exact same subnet/interfaces.

Those 2 contexts (Context-A and Context-B) needs to be virtually a separate FW unfortunately. That's why I said, it's not load balancing traffic.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Fri, 10/01/2010 - 03:19
User Badges:
  • Cisco Employee,

Please kindly be advised that ASA in Active/Active failover mode does not support traffic load balancing.


ASA Active/Active mode needs to be in multiple context mode, and you can have some context active on first ASA and some other context active on second ASA, however, you can not just load balance traffic within the same context.


Hope that makes sense.

adsyparker Fri, 10/01/2010 - 03:55
User Badges:

Hi Jennifer,


I understand that we would need to move from Single Context to Multiple Context.


However does this allow me to simply have the contexts be exact replica's of each other?  For example:


ASA1: Context-A Active, Context-B Standby

ASA2: Context-A Standby, Context-B Active


Where Context A and Context B hold identical firewall rules.


Regards,


A

Correct Answer
Jennifer Halim Fri, 10/01/2010 - 04:21
User Badges:
  • Cisco Employee,

You can have the exact rules, however, you can't have the exact same subnet/interfaces.

Those 2 contexts (Context-A and Context-B) needs to be virtually a separate FW unfortunately. That's why I said, it's not load balancing traffic.

adsyparker Fri, 10/01/2010 - 08:02
User Badges:

Thanks for your reply Jennifer.


I understand we would have to IP address two separate virtual firewalls (two subnets on the outside, and two on the inside).


Eg for the Outside configuration only:


Outside

ASA1 (Context A active, Context B standby):

ASA2 (Context A standby, Context B active):


Context A

Active IP = 192.168.3.1

Standby IP = 192.168.3.2


Context B

Active IP = 192.168.4.1

Standby IP = 192.168.4.2


Assume there are two switches, both trunked to each other and each with a single connection to a firewall.  We could then use static routes from the Outside switches to the inside:


SW1---SW2  - Outside

|                |

|                |

ASA1---ASA2

|               |

|               |

SW3---SW4  - Inside


It would involve a lot of static routing as dynamic protocols are out in multicontext Active/Active configurations, but I believe it is possible to implement.


Thanks for your help.


Regards,


A

Jennifer Halim Fri, 10/01/2010 - 22:20
User Badges:
  • Cisco Employee,

Yes you are right. If they are completely separate context, you can definitely configure as per your diagram.

Common scenario would be managing multiple customers through the same physical ASA.


Example:

If you are managing 5 customers --> 5 contexts:


ASA1: Context-A (Active), Context-B (Active), Context-C (Active), Context-D (Standby) and Context-E (Standby)

ASA2: Context-A (Standby), Context-B (Standby), Context-C (Standby), Context-D (Active) and Context-E (Active)


What you would need to make sure is if one or the other ASA fails, the one ASA needs to be able to cope with the load for 5 contexts.


Say ASA-1 fails, ASA-2 has to be able to cope with all the 5 context being active on it.

cciesec2011 Sat, 10/02/2010 - 06:41
User Badges:

"however, you can not just load balance traffic within the same context"


What you stated above is "technically" correct for existing code.  However, with the upcoming release of new ASA code, code name "spiker", you WILL be able to load balancing traffics within the same context.  At least, that's what I was told by a Cisco SE when I asked him about load-balancing.  Currently

ASA load balancing is nothing but a gimmick.  In other words, it is similarly to running multiple HSRP group in IOS.


By the way, Checkpoint has been doing load balancing within the same context for years with IPSO clustering or ClusterXL for years.  I am glad to see Cisco is finally recognizing this.  This will make things much easier for customers to migrate from Checkpoint over Cisco ASA platforms.  If "spiker" can also add GRE tunnel to the ASA, that will be even better.

Actions

This Discussion