Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Question on Active/Active Failover

We currently have 2 ASA 5510's in Active/Standby state. Our current issue is that the primary ASA is taking quite a hit with the numerous NAT'ting and ACL's that have been implemented over time. RAM use is high, but CPU is ok.

I have given some thought about possibly changing the config to Active/Active, so that both ASA's participate in load balancing. I am concerned that this will affect or stop VPN from working. I would be grateful if someone could confirm if this would be the case, and if there is any way to resolve?

Thanks.

Everyone's tags (4)
2 REPLIES
Hall of Fame Super Blue

Re: VPN Question on Active/Active Failover

builder1977 wrote:

We currently have 2 ASA 5510's in Active/Standby state. Our current issue is that the primary ASA is taking quite a hit with the numerous NAT'ting and ACL's that have been implemented over time. RAM use is high, but CPU is ok.

I have given some thought about possibly changing the config to Active/Active, so that both ASA's participate in load balancing. I am concerned that this will affect or stop VPN from working. I would be grateful if someone could confirm if this would be the case, and if there is any way to resolve?

Thanks.


Unfortunately active/active does not support VPNs so it is not really an option for you. And as far as i know you cannot upgrade the memory for the 5510 firewall.

Sorry the be the bearer of bad news but you have 2 options as far as i can see -

1) upgrade firewalls to 5520 which have 512Mb of RAM rather than 256

2) go through the NAT and acl configuration to see if there is anything that can be removed. It's often quite surprising what config can be removed from a firewall as it is no longer in use.


Things also to consider -

i) check the hits in your acls. If you see entries with large amounts of hits below entries with very few if possible move them around. Obviously this may not be possible depending on the logic of your rules

ii) consider using nat exemption where possible ie. instead of "static (inside,dmz) 192.168.5.0 192.168.5.0 255.255.255.0" which will create entries in the xlate table use a nat exemption.

You may already have done all this so apologies if i am just telling you what you already know. And it could make little difference in the long run but it is worth trying before having to upgrade.

Jon

New Member

Re: VPN Question on Active/Active Failover

Hi Jon,

Thank you for a prompt response.

It has certainly given me some things to think about in order to release some of the load from our primary ASA.

1508
Views
0
Helpful
2
Replies
CreatePlease to create content