topic It's through the FirePower in Network Security

ASA 5555 & FirePOWER

afischer — Tue, 12 Mar 2019 07:53:55 GMT

We have an ASA 5555 with 16Gb Ram, 1 CPU, 8 cores. We are on Software Version 9.5(2). We have a 1Gb connection to the Internet. Every time we turn on File Inspection, it crashes our network. We can run a speed test and we are getting upload and download speeds of less than 5Mb on a 1Gb connection. This was a Cisco recommended configuration but it clearly does not work as demonstrated. We haven't gotten any good help from TAC other than to tell us to turn off file inspection. Has anyone else experienced this issue? Do you have any idea of what could fix this problem? We're getting no assistance from Cisco...

How are you trying to

Marvin Rhoads — Thu, 16 Jun 2016 18:18:42 GMT

How are you trying to implement file inspection?

i.e., In a service policy on the base ASA or are you asking about in the ASA FirePOWER service module

It's through the FirePower

afischer — Fri, 17 Jun 2016 19:17:57 GMT

It's through the FirePower service module which runs on a VM server. However, it maxes out the processors on the ASA and then the network comes to almost a total standstill. We've had a TAC case on it; they say the machine isn't big enough to handle file inspection. The last time we turned it on, it was only inspecting 4 files and it took it down. We're a public library with public computers and have high Internet usage. We really wanted this because people many times click on links that are harmful and they don't know it or they do it intentionally.

So you're using a file

Marvin Rhoads — Wed, 22 Jun 2016 04:41:50 GMT

So you're using a file inspection policy with the AMP license?

What sort of throughout are you typically pushing?

Have you excluded zip files from the file inspection policy?

The 5555-X is a pretty capable box but AMP is the most resource-intensive feature of the FirePOWER module. That said, it should still be usable under any load conditions that are within the design spec.

Hello Team,

Jetsy Mathew — Wed, 22 Jun 2016 05:43:52 GMT

Hello Team,

As Marvin said file inspection will take more intensive resources to work with that feature. But if you already provided the enough resources in the device , it should not be a problem. We can also perform some fine tuning in this. We should have a look at your policy and check if there is anything that overloads the system by consuming all available resources. What are the versions involved here ? Is there any specific reason or bug identified by Cisco TAC due to which they have requested you to turn off the file inspection.

Regards

jetsy

I agree that file inspection

afischer — Wed, 22 Jun 2016 13:14:54 GMT

I agree that file inspection is intensive but the box was undersized. We have a 1Gb connection to the Internet. Turning off file inspection lets everything else work but when that is part of the reason you bought the product, that isn't an acceptable solution. The 5555 is going to now be replaced with a 4110. Hopefully that will allow us to use the device the way it was demonstrated when it was sold to us.

Anne