Thursday, 14 October 2010

PIX, ASA, FWSM firewall - different number of connections on primary and secondary (active and standby)

When issuing commands show connections or show resource usage different number of connections is usually noticed on active and standby PIX or ASA appliance or FWSM module. Same is true no matter if single context or multiple contexts are used. These numbers, graphs or statistics are also present in management software such as Infovista, HP Openview and so on, since SNMP OID (and OIDs) are directly mapped from same statistics. So number of connections on active firewall is larger than number of connections on standby firewall.
ASA#show conn
71590 in use, 80688 most used
Network Processor 1 connections
UDP outside 10.10.10.1:33222 inside 192.168.1.1:23445 idle 0:02:27 Bytes 149
FLAGS -
TCP outside 10.10.10.1:33222 inside 192.168.1.1:23445 idle 0:00:01 Bytes 8378 FLAGS - UOI


ASA#sh res usa
Resource Current Peak Limit Denied Context
SSH 1 2 5 0 context1
Syslogs [rate] 4 9400 9400 608779 context1
Conns 19471 80688 80000 0 context1
Xlates 69659 90088 56901 0 context1
Hosts 62848 85442 56901 0 context1
Conns [rate] 228 27689 66600 0 context1
Syslogs [rate] 0 10 00 956 test
Conns 4 380 2000 0 test
Xlates 21 22 242 0 test
Hosts 21 22 242 0 test
Syslogs [rate] 0 10 00 956 production
Conns 4 380 2000 0 production
Xlates 21 22 242 0 production
Hosts 21 22 242 0 production

Reason for this is that HTTP connections are not replicated by default. If needed, HTTP sessions replication can be turned on by issuing failover replication http command.
hostname(config)# failover replication http

Disclaimers: This is a personal weblog. The opinions expressed here are entirely my own and not those of my employer and/or its affiliates. This material is not sponsored or endorsed by Cisco Systems, Inc. Cisco, Cisco Systems, CCIE and the CCIE Logo, CCDP, CCNA and CCDA are trademarks of Cisco Systems, Inc. and its affiliates.