https://community.cisco.com/t5/network-security/ftd-performance-issue/m-p/4189848#M1076194 <P>I have discovered an issue I'm hoping someone can help me with. We are using an asa 5516X as a VPN headend for RA. All the RA traffic goes from the inside interface of the ASA to an FTD 2130. We ran some speed tests and found that when the traffic goes through the ACP of the FTD our speeds are severely limited. if I setup a fastpath rule our VPN speeds are what they should be based on the RA's ISP. IE when I do a speed test from my anyconnect session I get a flat line speed of 6Mbps without the fastpath rule. With the fastpath rule in place I gets speeds of 24Mbps. I've tried changing the ACP rule to "trust" and turning off file and IPS inspection but I get the same results. Only fastpathing the traffic gets me the speed I would expect. All traffic is tunneled to the ASA and so go through the FTD. Running FTD <A href="https://6.4.0.9" target="_blank" rel="noopener">https://6.4.0.9</A>. Any suggestions would be greatly appreciated.</P> Fri, 27 Nov 2020 19:11:25 GMT scruse 2020-11-27T19:11:25Z https://community.cisco.com/t5/network-security/ftd-performance-issue/m-p/4189848#M1076194 <P>I have discovered an issue I'm hoping someone can help me with. We are using an asa 5516X as a VPN headend for RA. All the RA traffic goes from the inside interface of the ASA to an FTD 2130. We ran some speed tests and found that when the traffic goes through the ACP of the FTD our speeds are severely limited. if I setup a fastpath rule our VPN speeds are what they should be based on the RA's ISP. IE when I do a speed test from my anyconnect session I get a flat line speed of 6Mbps without the fastpath rule. With the fastpath rule in place I gets speeds of 24Mbps. I've tried changing the ACP rule to "trust" and turning off file and IPS inspection but I get the same results. Only fastpathing the traffic gets me the speed I would expect. All traffic is tunneled to the ASA and so go through the FTD. Running FTD <A href="https://6.4.0.9" target="_blank" rel="noopener">https://6.4.0.9</A>. Any suggestions would be greatly appreciated.</P> Fri, 27 Nov 2020 19:11:25 GMT https://community.cisco.com/t5/network-security/ftd-performance-issue/m-p/4189848#M1076194 scruse 2020-11-27T19:11:25Z https://community.cisco.com/t5/network-security/ftd-performance-issue/m-p/4190032#M1076207 <P>A single flow (that is not otherwise fastpathed via a prefilter rule) will always be processed by a single Snort instance. That will limit the throughput of that single flow and not give a true indicator of the overall device performance which is comprised of multiple flows for multiple users and devices.</P> Sat, 28 Nov 2020 11:33:49 GMT https://community.cisco.com/t5/network-security/ftd-performance-issue/m-p/4190032#M1076207 Marvin Rhoads 2020-11-28T11:33:49Z