Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
0
Helpful
3
Replies

per-session PAT and http replication in a failover (active/standby) pair

Go to solution
giuseppe parlato
Level 1
Level 1

‎07-29-2014 10:56 AM - edited ‎03-11-2019 09:33 PM

Hi,

I have ASA 9.1(2) and I'd like to implement per-session PAT to improve pat scalability. Can someone confirm me that switching from multisession to per-session PAT will not cause any nat or connectivity temporary disruption ?

 

I'd also like to enable http connection table replication (right now I have a plain stateful failover). Implementing can (I don't think so I know) cause any temporary connectivity disruption ? furthermore the firewall has some cpu overload sometimes, will http replication increase firewall cpu usage ?

 

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎07-30-2014 04:50 PM

Hello,

 

As Cisco recommends the Per-Session PAT should be used for hit-and-run traffic such as HTTP or HTTPS where you will avoing having the Xlate entry there for 30 seconds (default timeout) after the session is closed but it's not recommended for traffic like SIP so you will need to tweak the config to enable the feature only for what its needed.

 

In regards of the HTTP replication, there are not known issues about enabling this.

 

So do not worry about this 2 options.

 

Jcarvaja

CCIE 42930, 2xCCNP, JNCIS-SEC

For inmediate support http://iNetworks.cr

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎07-30-2014 04:50 PM

Hello,

 

As Cisco recommends the Per-Session PAT should be used for hit-and-run traffic such as HTTP or HTTPS where you will avoing having the Xlate entry there for 30 seconds (default timeout) after the session is closed but it's not recommended for traffic like SIP so you will need to tweak the config to enable the feature only for what its needed.

 

In regards of the HTTP replication, there are not known issues about enabling this.

 

So do not worry about this 2 options.

 

Jcarvaja

CCIE 42930, 2xCCNP, JNCIS-SEC

For inmediate support http://iNetworks.cr

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
giuseppe parlato
Level 1
Level 1
In response to Julio Carvajal

‎07-31-2014 09:26 AM

Thanks, everything is working fine with no problems :) and with no connectivity disruption as new commands where applied. What I noticed is xlate dynamic type entries decreasing but also connections decreasing, don't know why actually about the second one.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to giuseppe parlato

‎07-31-2014 09:37 AM

Hello,

 

Excellent to hear that.

Remember that the xlate entries will be cleared faster so you might not even be able to see them when you do a show xlate as the entry might be already deleted.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card