We are having problems with cpu load (sometimes reaching 95%) and i was wondering if active/active configuration would help so both nodes could share the load.
Are you experiencing any performance issues or other side-effects? It may be possible to reduce the load on the firewall by modifying your configuration.
A/A is designed to handle scenarios where packets are routed asymmetrically (client to server traffic is routed through one firewall and server to client traffic is routed through the other). It's not generally recommended outside of these cases because of the added complexity involved in troubleshooting and configuring an A/A pair. A/A was not designed to give the firewall pair a performance boost above what a single firewall can handle. If a failure should occur in a network where the firewalls are oversubscribed in this manner, the single remaining firewall will not be capable of handling the load.
I was exploring the same possibility, but it sounds like it's not recommended. So if our one PA-2050 is being over-burdened we can't configure the secondary to share the load. At that point our only real option is to get a bigger box, correct?
You do have other options aside from moving to a larger box. It's possible to optimize your security rules so that less intensive scanning is required. You could, for example, disable server response inspection if you are protecting a server in your network that is inherently trusted. You may be able to override (and therefore skip inspection of) other types of trusted traffic to free up the resources of your device for higher risk traffic. If such optimizations cannot be made, a bigger box may be your best best.
I think you could do this by disconnecting HA3 but that would break things.
The whole idea of the datachannel in Active/Active mode (I think) is so when packets arrives at "wrong" PA the packet is transmitted over the HA3 so it will egress on the correct box (and correct interface).
If you need more performance you could setup several PA boxes as singleunits (and use Panorama or such to manage them all form a single point) and then use routing before/after the PA's to loadbalance between your "links".
One way to loadbalance "by design" is to use several vlans for your clients. Like one vlan per floor. This way you can send vlanX through PA1, vlanY through PA2 and vlanZ through PA3. The tricky part can be how to obtain redundancy.
Another method is to use ECMP (Equal Cost MultiPath) routing which means that your inner router (in this case) would have 3 (lets assume you have 3 PA units) different defgw (or other routes) with same metric/cost. The router would then per session roundrobin the traffic over the available routes. The loadbalance algorithm can often be altered so it would use a particular route for a particular srcip (until that route fails and it would use the still working routes).
HA3 is required for Active/Active deployments. We use HA3 to ensure that a packet can be processed by the session owner regardless of which device receives it. This capability is essential in asymmetric environments where App-ID and Content-ID are enabled.
Thank you for the quick reply.
I know what is the reason to use HA3 but the standart A/A configuration design not to increase the performance.and my need is to double the performance, I will try to explain you our network diagram:
I have 2 Cisco ASA FW (Active\Active) connected to the internet and to the Lan,I want to insert 2 PA device in virtual wire mode and I need to dubble the performance, my idea is to conect the PA in Active\Active without connecting the HA3 Link between them.
I have other integration that 2 device work in Active Active without any cable between them and the panorama sync the configuration.But now I don't have panorama and I want to sync the configuration with the HA configuration and still double the performance is it possible ?
The proper setup would be to get a Panorama and use that to setup equal rules on both singleconfigured devices (this way you would only need to configure each rule once and then Panorama would push the config out to both boxes).
Each PA would then not know that there is another PA and you could use ECMP of your routers to loadshare by session (or better based on srcip on inner router and dstip on outer router).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!