topic Re: CPU load issues and Active/Active in General Topics

CPU load issues and Active/Active

FranciscoVargas — Tue, 31 Jan 2012 11:56:18 GMT

Hi,

We are having problems with cpu load (sometimes reaching 95%) and i was wondering if active/active configuration would help so both nodes could share the load.

Thanks

Re: CPU load issues and Active/Active

ncampagna — Tue, 31 Jan 2012 20:57:43 GMT

Hi ariadne,

Are you experiencing any performance issues or other side-effects? It may be possible to reduce the load on the firewall by modifying your configuration.

A/A is designed to handle scenarios where packets are routed asymmetrically (client to server traffic is routed through one firewall and server to client traffic is routed through the other). It's not generally recommended outside of these cases because of the added complexity involved in troubleshooting and configuring an A/A pair. A/A was not designed to give the firewall pair a performance boost above what a single firewall can handle. If a failure should occur in a network where the firewalls are oversubscribed in this manner, the single remaining firewall will not be capable of handling the load.

Thanks,

Nick Campagna

Product Management

Re: CPU load issues and Active/Active

jeffrowan — Mon, 27 Feb 2012 17:01:55 GMT

I was exploring the same possibility, but it sounds like it's not recommended. So if our one PA-2050 is being over-burdened we can't configure the secondary to share the load. At that point our only real option is to get a bigger box, correct?

Re: CPU load issues and Active/Active

ncampagna — Mon, 27 Feb 2012 17:16:57 GMT

Hi Jeff,

You do have other options aside from moving to a larger box. It's possible to optimize your security rules so that less intensive scanning is required. You could, for example, disable server response inspection if you are protecting a server in your network that is inherently trusted. You may be able to override (and therefore skip inspection of) other types of trusted traffic to free up the resources of your device for higher risk traffic. If such optimizations cannot be made, a bigger box may be your best best.

Thank you,

Nick Campagna

Product Management

Re: CPU load issues and Active/Active

along — Mon, 11 Jun 2012 07:35:35 GMT

It is possible to configure Active / Active mode but synchronize the configuration and session only ?

Alon

Re: CPU load issues and Active/Active

mikand — Mon, 11 Jun 2012 08:06:43 GMT

I think you could do this by disconnecting HA3 but that would break things.

The whole idea of the datachannel in Active/Active mode (I think) is so when packets arrives at "wrong" PA the packet is transmitted over the HA3 so it will egress on the correct box (and correct interface).

If you need more performance you could setup several PA boxes as singleunits (and use Panorama or such to manage them all form a single point) and then use routing before/after the PA's to loadbalance between your "links".

One way to loadbalance "by design" is to use several vlans for your clients. Like one vlan per floor. This way you can send vlanX through PA1, vlanY through PA2 and vlanZ through PA3. The tricky part can be how to obtain redundancy.

Another method is to use ECMP (Equal Cost MultiPath) routing which means that your inner router (in this case) would have 3 (lets assume you have 3 PA units) different defgw (or other routes) with same metric/cost. The router would then per session roundrobin the traffic over the available routes. The loadbalance algorithm can often be altered so it would use a particular route for a particular srcip (until that route fails and it would use the still working routes).

Re: CPU load issues and Active/Active

ncampagna — Mon, 11 Jun 2012 15:29:10 GMT

HA3 is required for Active/Active deployments. We use HA3 to ensure that a packet can be processed by the session owner regardless of which device receives it. This capability is essential in asymmetric environments where App-ID and Content-ID are enabled.

Thanks,

Nick

Re: CPU load issues and Active/Active

along — Tue, 12 Jun 2012 16:44:06 GMT

Hi Nick

Thank you for the quick reply.

I know what is the reason to use HA3 but the standart A/A configuration design not to increase the performance.and my need is to double the performance, I will try to explain you our network diagram:

I have 2 Cisco ASA FW (Active\Active) connected to the internet and to the Lan,I want to insert 2 PA device in virtual wire mode and I need to dubble the performance, my idea is to conect the PA in Active\Active without connecting the HA3 Link between them.

I have other integration that 2 device work in Active Active without any cable between them and the panorama sync the configuration.But now I don't have panorama and I want to sync the configuration with the HA configuration and still double the performance is it possible ?

Alon

Re: CPU load issues and Active/Active

mikand — Wed, 13 Jun 2012 06:36:31 GMT

The proper setup would be to get a Panorama and use that to setup equal rules on both singleconfigured devices (this way you would only need to configure each rule once and then Panorama would push the config out to both boxes).

Each PA would then not know that there is another PA and you could use ECMP of your routers to loadshare by session (or better based on srcip on inner router and dstip on outer router).

Re: CPU load issues and Active/Active

along — Wed, 13 Jun 2012 07:23:40 GMT

No way to sync the configuration without Panorama ?

Re: CPU load issues and Active/Active

mikand — Wed, 13 Jun 2012 08:22:35 GMT

No idea, but since there already is a setting like "Enable Config Sync" I guess it should be somewhat easy for PA to fix this if you file this as a feature request through your sales engineer.

I mean setting up HA but only enable "Enable Config Sync" and disable sessionsync etc.

Re: CPU load issues and Active/Active

ncampagna — Wed, 13 Jun 2012 15:20:10 GMT

At this time we don't offer an HA solution that allows you to oversubscribe your firewalls. The reason is that a failure will be unpredictable if you're trying to push >100% of a firewall's throughput through it. In fact, our general recommendation is to size the pair so that a single firewall can handle ALL of the traffic through the pair just in case there's a failure.

Thanks,

Nick