ASA Overview
With the introduction of the ASA 9.0 code, the ASA now supports Firewall clustering. This allows multiple ASA (up to 16 depending on code level and hardware) devices to appear as a single device. The advantages of this are that you can now take full advantage of technologies like vPC and VSS to load balance traffic across all devices in a true active/active configuration. Unlike the old mode of using active/standby or active/acitve with multi-context mode, where one device was always running standby and not actually passing traffic.
The other advantage of this technology is that it scales very linearly. As you add more nodes to the cluster you get predictable performance increases.
When you combine multiple units into a cluster, you can expect a performance of approximately:
For example, for throughput, the ASA 5585-X with SSP-40 can handle approximately 10 Gbps of real world firewall traffic when running alone. For a cluster of 8 units, the maximum combined throughput will be approximately 70% of 80 Gbps (8 units x 10 Gbps): 56 Gbps.
As with any other technologies there are always some caveats. Here are some of the key points concerning the hardware and software requirements. If you are planning to run clustering in your environment, please see the Cisco the documentation for the full list of requirements and licensing information.
- Must be same model ASA, with the same amount of DRAM
- Must use the same security context mode, single or multiple
- Must be in the same firewall mode – routed or transparent
- Cluster license is required for each unit
ASA Clustering Architecture
One cluster member is elected Master and the other devices are Slaves. The first unit to join the cluster or based on a priority value will become the Master unit. The Master device handles all configuration, management and owns the VIP for the cluster. A new master is elected only if the current Master is down.
The devices use a Cluster Control Link (CCL) for intra-communication (cluster backplane). Each device must have at least one hardware interface dedicated to this and the recommended design is to have an Etherchannel. The CCL is used for the Master election, configuration replication, health monitoring and state replication. Each cluster link needs its own IP address on the same subnet.
Their are two (2) supported data interface modes.
Spanned Etherchannel – Layer 2
- Group one or more interfaces per unit into an EtherChannel that spans all units in the cluster.
- The EtherChannel aggregates the traffic across all the available active interfaces in the channel.
- This is the recommended design
- All units use the same VIP and MAC
- Supports MCEC (VSS, vPC etc..)
Individual Mode – Layer 3
- Each device has a seperate IP address on each data interface
- Uses dynamic routing to load-balance traffic (Think ECMP)
- Etherchannels are local to each member
- Interface IPs are assigned from pools configured on the Master unit
In individual mode, each device maintains its own routing adjacency. The disadvantage of this is slower convergence and higher processor utilization due to each unit maintaining it’s own routing table. In spanned Etherchannel mode, the Master ASA runs dynamic routing. Routing and ARP tables are synchronized to the slave devices.
How the ASA manages connections
When a connection is forwarded to a member of the cluster via load balancing, that unit owns both directions of the connection. If any of that connections packets arrive at a different unit, they are forwarded to the owner device over the cluster control link. Because of this it is recommended to have symmetric load-balancing. Symmetric load-balancing is required for both directions of a flow to arrive at the same unit, and for flows to be distributed evenly between ASAs.
For each connection there is also a device that acts as the director. The director handles look-up requests from forwarders and also maintains the connection state to serve as a backup if the owner fails. When the owner receives a new connection, it chooses a director based on a hash algorithm and sends a message to the director to register the new connection.
Data Center Dope 