Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1757
Views
0
Helpful
2
Replies

VPN Question on Active/Active Failover

builder1977
Level 1
Level 1

‎02-17-2010 01:20 AM - edited ‎03-11-2019 10:10 AM

We currently have 2 ASA 5510's in Active/Standby state. Our current issue is that the primary ASA is taking quite a hit with the numerous NAT'ting and ACL's that have been implemented over time. RAM use is high, but CPU is ok.

I have given some thought about possibly changing the config to Active/Active, so that both ASA's participate in load balancing. I am concerned that this will affect or stop VPN from working. I would be grateful if someone could confirm if this would be the case, and if there is any way to resolve?

Thanks.

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎02-17-2010 02:33 AM 

builder1977 wrote:
We currently have 2 ASA 5510's in Active/Standby state. Our current issue is that the primary ASA is taking quite a hit with the numerous NAT'ting and ACL's that have been implemented over time. RAM use is high, but CPU is ok.
I have given some thought about possibly changing the config to Active/Active, so that both ASA's participate in load balancing. I am concerned that this will affect or stop VPN from working. I would be grateful if someone could confirm if this would be the case, and if there is any way to resolve?
Thanks.


Unfortunately active/active does not support VPNs so it is not really an option for you. And as far as i know you cannot upgrade the memory for the 5510 firewall.

Sorry the be the bearer of bad news but you have 2 options as far as i can see -

1) upgrade firewalls to 5520 which have 512Mb of RAM rather than 256

2) go through the NAT and acl configuration to see if there is anything that can be removed. It's often quite surprising what config can be removed from a firewall as it is no longer in use.


Things also to consider -

i) check the hits in your acls. If you see entries with large amounts of hits below entries with very few if possible move them around. Obviously this may not be possible depending on the logic of your rules

ii) consider using nat exemption where possible ie. instead of "static (inside,dmz) 192.168.5.0 192.168.5.0 255.255.255.0" which will create entries in the xlate table use a nat exemption.

You may already have done all this so apologies if i am just telling you what you already know. And it could make little difference in the long run but it is worth trying before having to upgrade.

Jon

0 Helpful

builder1977
Level 1
Level 1
In response to Jon Marshall

‎02-17-2010 04:38 AM

Hi Jon,

Thank you for a prompt response.

It has certainly given me some things to think about in order to release some of the load from our primary ASA.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card