Thursday, 14 October 2010

PIX, ASA, FWSM firewall - different number of connections on primary and secondary (active and standby)

When issuing commands show connections or show resource usage different number of connections is usually noticed on active and standby PIX or ASA appliance or FWSM module. Same is true no matter if single context or multiple contexts are used. These numbers, graphs or statistics are also present in management software such as Infovista, HP Openview and so on, since SNMP OID (and OIDs) are directly mapped from same statistics. So number of connections on active firewall is larger than number of connections on standby firewall.
ASA#show conn
71590 in use, 80688 most used
 Network Processor 1 connections 
UDP outside 10.10.10.1:33222 inside 192.168.1.1:23445 idle 0:02:27 Bytes 149 
 FLAGS - 
TCP outside 10.10.10.1:33222 inside 192.168.1.1:23445 idle 0:00:01 Bytes 8378 FLAGS - UOI


ASA#sh res usa
Resource              Current         Peak      Limit        Denied Context
SSH                         1            2          5             0 context1
Syslogs [rate]              4         9400       9400        608779 context1
Conns                   19471        80688      80000             0 context1
Xlates                  69659        90088      56901             0 context1
Hosts                   62848        85442      56901             0 context1
Conns [rate]              228        27689      66600             0 context1
Syslogs [rate]              0           10         00           956 test
Conns                       4          380       2000             0 test
Xlates                     21           22        242             0 test
Hosts                      21           22        242             0 test
Syslogs [rate]              0           10         00           956 production
Conns                       4          380       2000             0 production
Xlates                     21           22        242             0 production
Hosts                      21           22        242             0 production

Reason for this is that HTTP connections are not replicated by default. If needed, HTTP sessions replication can be turned on by issuing failover replication http command.
hostname(config)# failover replication http
Posted by Milan Mesic at 02:02 0 comments
Labels: , , , ,
Subscribe to: Posts (Atom)

Disclaimers: This is a personal weblog. The opinions expressed here are entirely my own and not those of my employer and/or its affiliates. This material is not sponsored or endorsed by Cisco Systems, Inc. Cisco, Cisco Systems, CCIE and the CCIE Logo, CCDP, CCNA and CCDA are trademarks of Cisco Systems, Inc. and its affiliates.