Q1. What is a safe peak for a cluster (Active/Standby) pair of ASA 5520's?
During different times of the day, I can see major peaks that push the ASA cluster into the high 80's and low 90% utilization.
Q2. To combat these peaks, I've tried lowering the logging, turning off Inspections and even clustering rules so the list of ACL's is shorter for the ASA to run through for each lookup. None of these have made a measurable impact to CPU peaks. Any idea's what else I can do to save CPU time?
Not sure what the official recommendation is from Cisco, but I don't want my ASA CPU to go over 50% in average.
Our ASA5550's average 5% of CPU usage.
It should be ok to go above that from time to time though.
How long did each 80 - 90% peak last?
If it's just a few minutes I think you should be ok.
If it's constant you'll probably need to upgrade to a 5550 or 5580.
If 5580 doesn't even cut it in your evaluation, then you may need to go w/ Juniper or Palo Alto Networks...Cisco's great for their feature sets, but unfortunately you can't push as much traffic through their devices...either firewall or switches.
Anyone from Cisco reading this post...why do you guys under-engineer your products all the time?
This should go to the Security forum and not Application by the way.
Thanks! I immediately reposted it in the Security section and tried to delete this one in Application.
As for the peaks, they last for 3-5 minutes each day at specific times that are predictable. If the application responsible for these peaks is not redesigned soon, we predict those 450Meg/s peaks will be pushed upwards to 6.1Gig/s. So the 5580-40 would do the job with its 10Gig ceiling, but at quite a $$ cost!
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...