High CPU Utlization.
We are currently using NSA 3600 firewall in HA as a active standby mode. From past few days we are facing High CPU utilization issue due to DATA plane reach to 90-100% because of high amount of traffic.
To reduce CPU utilization I am planning to use HA in active/active DPI mode instead of active/standby.
Will doing this reduce CPU or Data plane utlisation in some extent or data plane remains same..??
Ajishlal Community Legend ✭✭✭✭✭
The benefits of Active/Active Clustering include the following:
• All the firewalls in the cluster are utilized to derive maximum throughput
• Can run in conjunction with Active/Active DPI to perform concurrent processing of IPS, GAV, Anti-Spyware, and App Rules services, which are the most processor intensive, on the standby firewall in each HA pair while the active firewall performs other processing
• Load sharing is supported by allowing the assignment of particular traffic flows to each node in the cluster
• All nodes in the cluster provide redundancy for the other nodes, handling traffic as needed if other nodes go down
• Interface redundancy provides secondary for traffic flow without requiring fail-over
• Both Full Mesh and non-Full Mesh deployments are supported
For more information please check below KB for the HA Setup.1
preston Enthusiast ✭✭@Ninad94 , just to clarify if you want to use Active/Active clustering you need another device(s) (depending on Interfaces used) which are capable of doing the load balancing unlike the Active/Active DPI deployment.
you also need to fully license the HA appliance to use the DPI services on both appliances ( which you don't if using Active/Active DPI) you just need the expanded license on the primary appliance.
unfortunately it can work out a lot more expensive than you first anticipated due to the extra hardware to do the loadbalancing and the additional licenses
We have been asking for years for the Active/Active DPI to be available for the NSa 3600/3650 & the NSa 4600/4650 devices not just the NSa 5600/5650 and supermassive devices, but its never happened, not sure why as I'm sure at least the NSa 3650's and the NSa 4650's would be more than capable.1
can you give result of command "diag show cpu" ?
Hi @Ninad94 ,
Was your question successfully answered?