02-17-2010 01:20 AM - edited 03-11-2019 10:10 AM
We currently have 2 ASA 5510's in Active/Standby state. Our current issue is that the primary ASA is taking quite a hit with the numerous NAT'ting and ACL's that have been implemented over time. RAM use is high, but CPU is ok.
I have given some thought about possibly changing the config to Active/Active, so that both ASA's participate in load balancing. I am concerned that this will affect or stop VPN from working. I would be grateful if someone could confirm if this would be the case, and if there is any way to resolve?
Thanks.
02-17-2010 02:33 AM
builder1977 wrote:
We currently have 2 ASA 5510's in Active/Standby state. Our current issue is that the primary ASA is taking quite a hit with the numerous NAT'ting and ACL's that have been implemented over time. RAM use is high, but CPU is ok.
I have given some thought about possibly changing the config to Active/Active, so that both ASA's participate in load balancing. I am concerned that this will affect or stop VPN from working. I would be grateful if someone could confirm if this would be the case, and if there is any way to resolve?
Thanks.
Unfortunately active/active does not support VPNs so it is not really an option for you. And as far as i know you cannot upgrade the memory for the 5510 firewall.
Sorry the be the bearer of bad news but you have 2 options as far as i can see -
1) upgrade firewalls to 5520 which have 512Mb of RAM rather than 256
2) go through the NAT and acl configuration to see if there is anything that can be removed. It's often quite surprising what config can be removed from a firewall as it is no longer in use.
Things also to consider -
i) check the hits in your acls. If you see entries with large amounts of hits below entries with very few if possible move them around. Obviously this may not be possible depending on the logic of your rules
ii) consider using nat exemption where possible ie. instead of "static (inside,dmz) 192.168.5.0 192.168.5.0 255.255.255.0" which will create entries in the xlate table use a nat exemption.
You may already have done all this so apologies if i am just telling you what you already know. And it could make little difference in the long run but it is worth trying before having to upgrade.
Jon
02-17-2010 04:38 AM
Hi Jon,
Thank you for a prompt response.
It has certainly given me some things to think about in order to release some of the load from our primary ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide