I have a pair of ASA 5540 that I will be configuring for Active-Active Failover. I have some questions regarding the capacity of both firewalls when configured for Active-Active Failover.
Since the ASA 5540 supports 650 Mbps of throughput, will it be doubled to 1.3 Gbps using Active-Active Failover. Context 1 which is active on ASA 1 will get 650 Mbps and context 2 which is active on ASA 2 will get 650 Mbps. Is it possible.
Same goes for the maximum number of firewall sessions. 5540 supports 400,000 max sessions, in Active-Active arrangement does that increase, i mean context 1 on ASA 1 gets 400K session and context 2 ASA 2 gets 400 sessions.
When we are configuring context in ASA , we are sharing the existing resources only.t
A single ASA box(physical) will support max 400K sessions.if you have configured 10 context it doesn;t mean that it will support 10x400K sessions.
based on the resource allocation configuration in your ASA, the necessary resources will be allocated to your context.You can allocate number of interfces,memory size, connection details and storage etc..
If you have not configured anything it will take the default allocation class.
If you have configured Active - Active, the firewall will be used efficiently.Thats all.
Lets make it a little simple. I have two ASA 5540 that I want to configure for Active-Active Failover. I have two contexts, CON1 and CON2.
CON1 is active on ASA 1 and CON2 is active on ASA2. Can ASA1 provide 650 Mbps to CON1 and Max sesson limit of 400K session and along the same time can ASA2 provide CON2 650 Mbps and Max session limit of 400K. Remember CON2 will be standby on ASA1 and CON1 will be standby on ASA2.
The reason why I am asking this is that. I need more Firewall throughput and sessions for the server farm. A single 5540 appliance provides 650 Mbps I need more aggregate throughput than this so can I use Active-Active failover for this
I got what you are trying to say.. But one thing you need to concentrate that, when you are going to configure active -active faiolver in ASA with two context it is ok.The way you are expecting, ASA will work.But more than 2 context,i dont think so..
But even if you are configuring active active failover, that time you need to check the resource allocation for the context's.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...