Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

asa5520s share load

Greeting

I have configure active/active failover on two boxes.

but, It looks two active/standy add togother. (subnet 1 traffic go to first asa5520 and subnet 2 traffic go to second asa5520).

If possible I can setup one subnet share the load on both asa5520s? If so, how can I do it?

Any comments will be apprecaited

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions

Re: asa5520s share load

ASA5520 datasheet states throughput upto 450Mbps and for vpn its 225Mbps, so when you are designing the solution you should consider the existing network setup and also the volume of growth for future.

In your case its a multi context setup, so it won't support VPN's ,dynamic routing, so you have need not worry of using these features in future.

However, sometimes you may experience high traffic/ firewall resource utilisations due to some malwares or performing VA scans via firewall

To avoid such situations,

Configure the firewall to perform anti-spoofing, prevent dos attacks by limiting/ controlling simultaneous connections/sessions.

Here is a Cisco link for preventing Network attacks.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

3 REPLIES

Re: asa5520s share load

ASA does not provide load balancing by itself. Load balancing must be handled by a router / load balancer ( upstream or downstream) to forward traffic to the desired ASA device in the cluster.

However, on ASA active/active setup, at any point of time one particular context will be active on only one firewall and standby on the other firewall. So at any point of time you are forwarding traffic to the active context only.

New Member

Re: asa5520s share load

great thanks for the reply.

if there is no load sharing, could you please advice, if there is anywhere to avoid traffic bottleneck?

any comments will be apprecaited

thanks in advance

Re: asa5520s share load

ASA5520 datasheet states throughput upto 450Mbps and for vpn its 225Mbps, so when you are designing the solution you should consider the existing network setup and also the volume of growth for future.

In your case its a multi context setup, so it won't support VPN's ,dynamic routing, so you have need not worry of using these features in future.

However, sometimes you may experience high traffic/ firewall resource utilisations due to some malwares or performing VA scans via firewall

To avoid such situations,

Configure the firewall to perform anti-spoofing, prevent dos attacks by limiting/ controlling simultaneous connections/sessions.

Here is a Cisco link for preventing Network attacks.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

106
Views
5
Helpful
3
Replies