01-31-2012 03:56 AM
Hi,
We are having problems with cpu load (sometimes reaching 95%) and i was wondering if active/active configuration would help so both nodes could share the load.
Thanks
01-31-2012 12:57 PM
Hi ariadne,
Are you experiencing any performance issues or other side-effects? It may be possible to reduce the load on the firewall by modifying your configuration.
A/A is designed to handle scenarios where packets are routed asymmetrically (client to server traffic is routed through one firewall and server to client traffic is routed through the other). It's not generally recommended outside of these cases because of the added complexity involved in troubleshooting and configuring an A/A pair. A/A was not designed to give the firewall pair a performance boost above what a single firewall can handle. If a failure should occur in a network where the firewalls are oversubscribed in this manner, the single remaining firewall will not be capable of handling the load.
Thanks,
Nick Campagna
Product Management
02-27-2012 09:01 AM
I was exploring the same possibility, but it sounds like it's not recommended. So if our one PA-2050 is being over-burdened we can't configure the secondary to share the load. At that point our only real option is to get a bigger box, correct?
02-27-2012 09:16 AM
Hi Jeff,
You do have other options aside from moving to a larger box. It's possible to optimize your security rules so that less intensive scanning is required. You could, for example, disable server response inspection if you are protecting a server in your network that is inherently trusted. You may be able to override (and therefore skip inspection of) other types of trusted traffic to free up the resources of your device for higher risk traffic. If such optimizations cannot be made, a bigger box may be your best best.
Thank you,
Nick Campagna
Product Management
06-11-2012 12:35 AM
Hi
It is possible to configure Active / Active mode but synchronize the configuration and session only ?
Alon
06-11-2012 01:06 AM
I think you could do this by disconnecting HA3 but that would break things.
The whole idea of the datachannel in Active/Active mode (I think) is so when packets arrives at "wrong" PA the packet is transmitted over the HA3 so it will egress on the correct box (and correct interface).
If you need more performance you could setup several PA boxes as singleunits (and use Panorama or such to manage them all form a single point) and then use routing before/after the PA's to loadbalance between your "links".
One way to loadbalance "by design" is to use several vlans for your clients. Like one vlan per floor. This way you can send vlanX through PA1, vlanY through PA2 and vlanZ through PA3. The tricky part can be how to obtain redundancy.
Another method is to use ECMP (Equal Cost MultiPath) routing which means that your inner router (in this case) would have 3 (lets assume you have 3 PA units) different defgw (or other routes) with same metric/cost. The router would then per session roundrobin the traffic over the available routes. The loadbalance algorithm can often be altered so it would use a particular route for a particular srcip (until that route fails and it would use the still working routes).
06-11-2012 08:29 AM
HA3 is required for Active/Active deployments. We use HA3 to ensure that a packet can be processed by the session owner regardless of which device receives it. This capability is essential in asymmetric environments where App-ID and Content-ID are enabled.
Thanks,
Nick
06-12-2012 09:44 AM
Hi Nick
Thank you for the quick reply.
I know what is the reason to use HA3 but the standart A/A configuration design not to increase the performance.and my need is to double the performance, I will try to explain you our network diagram:
I have 2 Cisco ASA FW (Active\Active) connected to the internet and to the Lan,I want to insert 2 PA device in virtual wire mode and I need to dubble the performance, my idea is to conect the PA in Active\Active without connecting the HA3 Link between them.
I have other integration that 2 device work in Active Active without any cable between them and the panorama sync the configuration.But now I don't have panorama and I want to sync the configuration with the HA configuration and still double the performance is it possible ?
Alon
06-12-2012 11:36 PM
The proper setup would be to get a Panorama and use that to setup equal rules on both singleconfigured devices (this way you would only need to configure each rule once and then Panorama would push the config out to both boxes).
Each PA would then not know that there is another PA and you could use ECMP of your routers to loadshare by session (or better based on srcip on inner router and dstip on outer router).
06-13-2012 12:23 AM
No way to sync the configuration without Panorama ?
06-13-2012 01:22 AM
No idea, but since there already is a setting like "Enable Config Sync" I guess it should be somewhat easy for PA to fix this if you file this as a feature request through your sales engineer.
I mean setting up HA but only enable "Enable Config Sync" and disable sessionsync etc.
06-13-2012 08:20 AM
At this time we don't offer an HA solution that allows you to oversubscribe your firewalls. The reason is that a failure will be unpredictable if you're trying to push >100% of a firewall's throughput through it. In fact, our general recommendation is to size the pair so that a single firewall can handle ALL of the traffic through the pair just in case there's a failure.
Thanks,
Nick
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
