Anybody currently using or having had tested HA in an active/active mode with any insights into the the performance benefit or impact of such a setup?
Is the additional complexity worth the effort and is the throughput effectively increased compared to active/passive?
Any info or advice would be appreciated!
Hello @sean_haller ,
We are currently running HA in active/active which doesn't seem like too much trouble but we aren't running in a true Active/Active state. The Firewalls are Active/Active but they are vwire and routing maintains traffic through one device at a time. I don't believe we have experienced any issues related directly to the Active/Active setup.
If you do not have requirement of running dynamic routing simultaneously on both peer and if you do not have asymmetric routing in your environment, Active/Active setup is not suggested.
It does not increase the throughput through the device, you can do manual load sharing among the device. But again, traffic should be such that in case of device failure, peer device needs to handle all of the traffic through the network.
It does add complexity in the configuration and also to troubleshoot the issue if there are any.
Again to repeat ; If you do not have requirement of running dynamic routing simultaneously on both peer and if you do not have asymmetric routing in your environment, Active/Active setup is not suggested. Hope this helps. Thank you.
I would also suggest you to validate your requirement first, before implementing A/A setup.
Q: When do you need A/A?
A: When you have asymmetrical traffic or you need to pass traffic thru a secondary path.
Q: What is our A/A definition?
A: Provides full layer 7 inspection in environments with asymmetric routing.
Q: Does A/A double my thru put?
A: No, we do not combine the cpu power of both devices for packet handling. The session table of both devices equal one device.
Q: Are we a true load balancer?
A: No, we perform load sharing, but the load distribution is handled by the routing infrastructure around us. Packet handling is determined by the firewall that receives the first packet.
Hope this helps. :smileyhappy:
Thanks for the feedback. Our network routing setup is not overly complex with BGP being effectively managed by our edge routers. The majority of the traffic generated is between local vlans using the PAs as the core routing device. However performance is a priority for us and I was wondering if having sessions split and managed by both devices seperately offered any advantage. Judging by the responses recieved here there seems to be no benefit for us from an active/active configuration. This makes sense from Hulk's comment on the session state table.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!