topic Re: ASA 5516-x Maximum Thoroughput in Network Security

ASA 5516-x Maximum Thoroughput

macgyver0099_1 — Wed, 27 Mar 2019 15:49:59 GMT

Hi,

We are considering increasing our provider bandwidth to 1Gbps at one of our locations, but I'm not sure if our ASA 5516-x can even process that much. More specifically, I'm receiving conflicting reports about how much bandwidth an ASA 5516-x can handle. I see that it lists its max stateful inspection throughput as 1.8Gpbs, its Stateful inspection throughput (multiprotocol2) as 900 Mbps, its Maximum application visibility and control (AVC) throughput as 850 Mbps, its Maximum AVC and NGIPS throughput as 600Mbps, its Application control (AVC) or NGIPS sizing throughput [440 byte HTTP] as 500 Mbps, and its Maximum 3DES/AES VPN throughput as 250Mbps.

So which is it? What should be considered as the acceptable max capacity of an ASA 5516-x for an Internet circuit?

Re: ASA 5516-x Maximum Thoroughput

Muhammad Awais Khan — Fri, 05 Jul 2019 00:22:20 GMT

Hi,

It depends what you will be using on the ASA. So for example, if your location will be using ASA as state-full firewall then you will be getting 900 Mbps - 1.8 Gbps which will be fine.

If you enable IPS on all the traffic traversing the firewall then you can get throughput upto 600 Mbps overall.

And lets say, you are using Statefull inspection + IPS/AVC and decided to configure IPSEC VPNs, then your non-VPN traffic will be having maximum throughput support upto 600 and VPN users will be 250 Mbps.

Re: ASA 5516-x Maximum Thoroughput

Marvin Rhoads — Fri, 05 Jul 2019 02:30:05 GMT

A 5516-X is at or beyond its ability to transfer traffic when you are expecting 1 Gbps throughput. Yes, you may attain it under certain conditions and without certain features active, but you probably will be frustrated if you expect that level of throughput consistently.

If you were my customer I'd recommend you to a higher performing appliance. If you're able to wait a bit then the just-released Firepower 1120 would be a good option. It's FTD-only right now and ASA software support will be coming in the fall. 1.5 Gbps of throughput with all of the NGFW/NGIPS features active.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html

That said, the 5516-X will work OK - it just won't give you the maximum ability to fill your upgraded circuit.

Re: ASA 5516-x Maximum Thoroughput

ajc — Thu, 25 Aug 2022 15:01:35 GMT

Hi Marvin,

Is it correct to say that we have a max throughput of 250 Mbps for a site to site VPN tunnel when using 5516-X?

thanks in advance for your response.

Re: ASA 5516-x Maximum Thoroughput

Rob Ingram — Thu, 25 Aug 2022 15:13:35 GMT

@ajc the cisco datasheet confirms the ASA 5516 supports up to 250Mbps IPSec VPN performance.

https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/datasheet-c78-742475.html

Re: ASA 5516-x Maximum Thoroughput

ajc — Wed, 08 Feb 2023 01:52:28 GMT

Hi Rob,

it is my understanding that SNORT tech only applies to appliances running firepower software NOT ASA. We are running IPerf which is considered an elephant flow so a firepower device would not apply all the snort processes to that flow (meaning all the CPU of the apppliance each one running 1 snort process). So if the appliance is rated at 10 Gbps and it has 20 instances of snort (CPU's) then there is a max throughput of 500 Mbps x snort/cpu. In my case, IPerf would only use 1 snort/cpu with a throughput of 500 Mbps which is not enough.

Based on the previous, IF i configure a FTDv50 or FTDv100 VMware, can I use IAB or Access Control trust rules allowing those elephant flows to pass uninspected, and not to be limited by the single snort instance behavior?. I also understand that this option does not apply to traffic over a Site to Site IPSEC VPN tunnel using FTDv on both sides, please correct me, thanks

Re: ASA 5516-x Maximum Thoroughput

Marvin Rhoads — Wed, 08 Feb 2023 13:51:57 GMT

@ajc not exactly. While you do bypass the Snort limitation when you use a prefilter rule (or potentially IAB), there is still an (unpublished) single flow speed limit that any given firewall has. The published throughput specification generally assume an aggregate of traffic across multiple flows.

Re: ASA 5516-x Maximum Thoroughput

ajc — Wed, 08 Feb 2023 14:55:58 GMT

Thanks Marvin, the following link explain our situation and we thought that access control rules or IAB would allow us to overcome the single flow speed limit (one snort-cpu correlation) however based in your reply it is not the case.

Process Single Stream Large Session (Elephant Flow) by Firepower Services - Cisco

Identify and Trust Large Flows

Large flows (IPerf included) are often related to high use low inspection value traffic for example, backups, database replication, etc. Many of these applications can not be benefited from inspection. In order to avoid issues with large flows, you can identify the large flows and create Access Control trust rules for them. These rules are able to uniquely identify large flows, allow those flows to pass uninspected, and not to be limited by the single snort instance behavior.

Re: ASA 5516-x Maximum Thoroughput

Marvin Rhoads — Wed, 08 Feb 2023 15:01:40 GMT

You do indeed bypass the Snort single instance limitation as the document you cited describes.

But, even for a legacy ASA with no Snort at all, the throughput of a single flow does not equal the published throughput of the appliance. The same applies to an FTD appliance when Snort is altogether bypassed by a prefilter rule with Fastpath action. In that case it uses strictly the LINA subsystem (Linux on ASA) to process the flow.

Re: ASA 5516-x Maximum Thoroughput

ajc — Wed, 08 Feb 2023 15:05:41 GMT

thanks for the clarification.

Re: ASA 5516-x Maximum Thoroughput

ajc — Mon, 13 Feb 2023 21:16:49 GMT

Hi Marvin,

For a legacy ASA with no snort, what would be the throughput of a single flow? thanks in advance for your reply.

Re: ASA 5516-x Maximum Thoroughput

Marvin Rhoads — Tue, 14 Feb 2023 12:56:34 GMT

Single flow throughput is not published by Cisco (nor by any firewall vendors as far as I know). If they did so, the competition would seize that figure to demonstrate their superiority (despite not publishing the figure themselves).