06-21-2009 09:03 PM - edited 03-09-2019 10:23 PM
Greeting
I have configure active/active failover on two boxes.
but, It looks two active/standy add togother. (subnet 1 traffic go to first asa5520 and subnet 2 traffic go to second asa5520).
If possible I can setup one subnet share the load on both asa5520s? If so, how can I do it?
Any comments will be apprecaited
Thanks in advance
Solved! Go to Solution.
06-23-2009 03:18 AM
ASA5520 datasheet states throughput upto 450Mbps and for vpn its 225Mbps, so when you are designing the solution you should consider the existing network setup and also the volume of growth for future.
In your case its a multi context setup, so it won't support VPN's ,dynamic routing, so you have need not worry of using these features in future.
However, sometimes you may experience high traffic/ firewall resource utilisations due to some malwares or performing VA scans via firewall
To avoid such situations,
Configure the firewall to perform anti-spoofing, prevent dos attacks by limiting/ controlling simultaneous connections/sessions.
Here is a Cisco link for preventing Network attacks.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml
06-22-2009 09:57 PM
ASA does not provide load balancing by itself. Load balancing must be handled by a router / load balancer ( upstream or downstream) to forward traffic to the desired ASA device in the cluster.
However, on ASA active/active setup, at any point of time one particular context will be active on only one firewall and standby on the other firewall. So at any point of time you are forwarding traffic to the active context only.
06-22-2009 10:16 PM
great thanks for the reply.
if there is no load sharing, could you please advice, if there is anywhere to avoid traffic bottleneck?
any comments will be apprecaited
thanks in advance
06-23-2009 03:18 AM
ASA5520 datasheet states throughput upto 450Mbps and for vpn its 225Mbps, so when you are designing the solution you should consider the existing network setup and also the volume of growth for future.
In your case its a multi context setup, so it won't support VPN's ,dynamic routing, so you have need not worry of using these features in future.
However, sometimes you may experience high traffic/ firewall resource utilisations due to some malwares or performing VA scans via firewall
To avoid such situations,
Configure the firewall to perform anti-spoofing, prevent dos attacks by limiting/ controlling simultaneous connections/sessions.
Here is a Cisco link for preventing Network attacks.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide