Maximum Firewall and IPS Throughput (SSM-20): Up to 375Mbps
If I were to run two ASA-5520s as a failover pair, and also load balance between them, would the maximum throughput potentially be 900Mbps (750Mbps with IPS)?
We are currently running an Active/Standby configuration between two 1Gbps LAN environments. However the firewall has become a bottleneck. If we were to upgrade this to an Active/Active configuration we believe this would give us much better throughput.
What load balancing methodologies would people advise?
Please kindly be advised that ASA in Active/Active failover mode does not support traffic load balancing.
ASA Active/Active mode needs to be in multiple context mode, and you can have some context active on first ASA and some other context active on second ASA, however, you can not just load balance traffic within the same context.
"however, you can not just load balance traffic within the same context"
What you stated above is "technically" correct for existing code. However, with the upcoming release of new ASA code, code name "spiker", you WILL be able to load balancing traffics within the same context. At least, that's what I was told by a Cisco SE when I asked him about load-balancing. Currently
ASA load balancing is nothing but a gimmick. In other words, it is similarly to running multiple HSRP group in IOS.
By the way, Checkpoint has been doing load balancing within the same context for years with IPSO clustering or ClusterXL for years. I am glad to see Cisco is finally recognizing this. This will make things much easier for customers to migrate from Checkpoint over Cisco ASA platforms. If "spiker" can also add GRE tunnel to the ASA, that will be even better.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :