topic If've already looked over the in Network Security

ASA 5506-X performance experiences

ammann9113 — Tue, 12 Mar 2019 08:24:57 GMT

Hello everyone!

I'm thinking about getting myself a 5506-X for home use. I know it might be overkill to some degree, expensive and so on... and to be honest, it really isn't necessary, but I like to play around and some educational purposes play a part to. So, this is not the kind of discussion I am interested in right now... 🙂 Just so you know, I am fairly experienced and I think of myself that I know what I am doing 😉

Anyway, enough with the unnecessary chit-chat... what holds me back right now is my current "unknowing" of what throughput the 5506-X is capable of. I know there is a data sheet with pretty numbers in it, but that's not what I am interested in. I want to know, what numbers I could really expect. Some "real-life" experiences...

I am aware that this heavily depends on what features are activated... so what would the range be, coming from fort knox (everything on) to just waving at passerbys (everything off)? Although it's a little bit expensive (if I am understanding the licensing correctly) I would be playing around with that fancy FirePOWER stuff to some point.

Another question I couldn't quite figure out myself is if the following scenario could be configured on the ASA; say we have a host X. Would it be possible to configure the ASA in a way that host X can load some files over port 80 without being bothered to much? Something like: traffic from host X over port 80 will not be inspected, hence more throughput for host X.

Any input will be appreciated! And of course, I am not expecting too much, since my questions aren't straight yes/no questions.

Be safe and have a nice evening 🙂

I know it might be overkill

Karsten Iwen — Tue, 18 Oct 2016 16:05:14 GMT

I know it might be overkill to some degree, expensive and so on... and to be honest, it really isn't necessary,

For sure it is! Every household should be protected by an ASA with FirePower or a Meraki MX! 😉

For the ASA, you can control which traffic gets sent to the FirePOWER module. Traffic that is not sent to FP is "only" inspected by the ASA which gives you a peak performance of about 750 MBit/s.

For all traffic that is inspected with FirePOWER, expect a performance between 30 and 100 MBit/s, depending on which services you activate.

Thanks, that's a great answer

ammann9113 — Tue, 18 Oct 2016 18:07:31 GMT

Thanks, that's a great answer 🙂

I'm planning on getting 500/50 MBit/s internet and it would kinda make me sad if my joy for the ASA would detain my speed-wise needs... and of course this needs are only for the occasional download so the probably 100 MBit/s will be fine for anything else.

I have two follow-up questions, if you would be so kind (and able..):

- If I get the ASA with security plus license, I still need to add a FirePOWER license right? And if I researched correctly, this would cost me about 150$ a year (for the "basic" FirePOWER lic)?

- What's up with this whole Meraki stuff? To be honest, I didn't really hear/read about it until a few days ago... cloud managed, ok... well this only really comes into play if you have a lot of those right? Is it worth thinking about getting any same level Meraki device instead of the 5506-X?

Thanks again and have a nice evening!

Differently to the old 5505,

Karsten Iwen — Tue, 18 Oct 2016 19:27:46 GMT

Differently to the old 5505, SecPlus is not often needed on the 5506-X as the 5506-X doesn't have the same limitations:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-license.html#concept_6FA65A78F1FF4CF4947EEF7AC74956C0

FirePower is always licensed in addition to the base ASA. There are different license with different features like IPS, URL-Filtering and AMP. What is this $150-license? I only know more expensive licenses ...

Meraki? Well, It's a little bit like networking really should be. It's by far not as flexible as the regular Cisco-stuff, but I assume that it's the better solution for most companies. It's much easier to manage and there is also less possibility to configure it wrong. (Minimum 70% of all ASAs I see at customers have a really bad config and are not well managed; that can all be done better with Meraki). Perhaps you qualify for a free AP when you attend a webinar: https://meraki.cisco.com/de/freeap/

If've already looked over the

ammann9113 — Wed, 19 Oct 2016 08:16:08 GMT

If've already looked over the limitations and there's only one thing that really bugs me. That is the 5 VLAN limit. To be honest, I can get a pretty good deal on the Sec Plus ASA so I think I'll just go for it...

Well yes, the 150$ is a little bit understated.. I would need, just for example, the "L-ASA5506-TAM-1Y" right? This would cost me around 250$/year?

Thanks for the link.. I'm not sure if I qualify since my employer is a Cisco reseller. Does the reseller part only include Meraki stuff or Cisco in general? If only Meraki is included I should qualify.

hi karsten,

johnlloyd_13 — Wed, 19 Oct 2016 08:26:35 GMT

hi karsten,

i'm about to get my free meraki AP as well 🙂

i've got a meraki ap/site deployment soon.

but i'm choosing between that and the 'free trial' option.

which one is better?

I have exactly the same issue

Boudewijn Plomp — Fri, 21 Oct 2016 22:15:21 GMT

I have exactly the same issue and are wondering about the performance.

I have a 500/500Mbps glass fiber internet connection, connected through 1GbE; I get around 530/530Mbps on a speedtest. I want to buy an ASA 5506-X. I'm not planning to use the FirePOWER services. I wonder if it can handle 500/500Mbps throughput.

Did you buy the 5506-X already? If so, what is your experience?

Unfortunately, I did not.

ammann9113 — Mon, 24 Oct 2016 07:01:26 GMT

Unfortunately, I did not. Altough I am going to order the ASA in the next few days, I guess it will take a few weeks until I have it up and running.

Anyway, I will post my findings here as soon as possible.

Rackmount Kit for Cisco ASA

livetech2006 — Sun, 30 Oct 2016 04:55:31 GMT

Rackmount Kit for Cisco ASA 5506 – CisRack RM-CI-T2

US Distributed by Live-Tech

https://www.mylive-tech.com/store/networking/networking-rackmount/rackmount-kit-for-cisco-asa-5506-cisrack-rm-ci-t2/

quick update for anybody that

ammann9113 — Wed, 16 Nov 2016 19:35:31 GMT

quick update for anybody that might be interested:

i can get (probably as expected) my full 500mbit down-speed through the ASA. currently there are just a few access rules, nothing heavy... unfortunately i do not have the equipment to test the peak throughput as i am currently just using one notebook and don't have anything else... anyway, i'll be doing this probably somewhen in the next 1-2 weeks.

also the whole FirePOWER stuff... 🙂 i'll post anything as soon as i get to it.

I have been putting 1gig

rasmus.elmholt — Sat, 19 Nov 2016 03:59:14 GMT

I have been putting 1gig through the 5506 without problems in a test setup. i tested with a filetransfer from one computer to another in different zones. But I have not stress tested it with max connection, because it is only used in a SOHO environment.

With basic config: NAT, FW, Inspection

Thanks for sharing. The only

Boudewijn Plomp — Sat, 19 Nov 2016 09:50:43 GMT

Thank you for sharing. The only thing is; a file transer is not a valid test at all. If you re-try a file transfer it is cached and it looks like you get full speed, while in fact it doesn't.

The best test is to use something like IPERF on the source and destination. Run a performance test with multiple sessions at the same time.

I actually did the iperf test

rasmus.elmholt — Sat, 19 Nov 2016 11:47:07 GMT

I actually did the iperf test instead, and it showed me the 1gbit on 5 concurrent sessions i think. It was just easier to explain it as a file transfer here:)

Again this is only a couple of connections so it cant be compare to real-world enterprise traffic, but it shows something about the performance in a SOHO environment.

Did the Remote-Access VPN test as well, and got 110-120 mbit through. So agoin performance above the baseline.

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

All the tests i did resulted in a CPU increase, because everything is done in SW, Routing, NAT, VPN, SSL offloading.

40-60% for 1gbit TCP

70-80% for 110 mbit VPN

I tried the BlackNurse attack yesterday and did a test with 30mbit small UDP packets on random ports(both blocked and allowed) as well. It all resultet in defeat of the ASA during the test.

99% for 20mbit BlackNurse/UDP traffic

some more hints

HQuest — Fri, 22 Dec 2017 05:26:31 GMT

I know this is sort of late, but let me share some $.02.

I had a few issues with internal systems being accessed from the outside world. Turns out TAC told me”because you have absolutely everything configured and active, well over 10k active IDS rules, and you are also doing SSL inspection, your max throughout will be limited to less than 3Mbps”.

So watch out for the Fort Knox type of config. Looks great on paper but it can definitively hog your device to death.

I have balanced my rules to the point I have as much active and I can peak my 150Mbps up/down traffic with some spare change.

Enjoy your new toy 😉