https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3790160#M7457 <P>yes it will be in fastest path if it is in stateful inspection entry.</P> Tue, 29 Jan 2019 09:09:46 GMT Sheraz.Salim 2019-01-29T09:09:46Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3789287#M7434 <P>Hello,</P> <P>&nbsp;</P> <P>what ist the throughput per <SPAN>throughput</SPAN> on multicore ASA</P> <P>Cisco ASA ASA5585-SSP-20 1 CPU 8 Core</P> <P>when using 10Gbit NICs ? Each flow is handled by one core. Is there a limit per core ?</P> <P>&nbsp;</P> <P>thanks</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Feb 2020 16:42:36 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3789287#M7434 kerstin-534 2020-02-21T16:42:36Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3789307#M7439 <P>the max throughput for ASA 5585 SSP40 is 20Gbps</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BLOCK_DIAGRAM1.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/28832i271CB212EB99DC68/image-size/large?v=v2&amp;px=999" role="button" title="BLOCK_DIAGRAM1.PNG" alt="BLOCK_DIAGRAM1.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BLOCK_DIAGRAM2.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/28833i538C379689A958BD/image-size/large?v=v2&amp;px=999" role="button" title="BLOCK_DIAGRAM2.PNG" alt="BLOCK_DIAGRAM2.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BLOCK_DIAGRAM3.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/28834iA98D4A29ABDC3242/image-size/large?v=v2&amp;px=999" role="button" title="BLOCK_DIAGRAM3.PNG" alt="BLOCK_DIAGRAM3.PNG" /></span></P><P><STRONG>&nbsp;</STRONG></P><P><STRONG>Andrew Ossipov did a cisco live have a look BRKSEC-3021</STRONG></P> Mon, 28 Jan 2019 11:54:44 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3789307#M7439 Sheraz.Salim 2019-01-28T11:54:44Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3789325#M7444 <P>yes, the Cisco Live with<STRONG>&nbsp;</STRONG>Andrew Ossipov does some clarification, the question is throughput per flow. So the box have a data-sheet throughput of 5 Gbps and 10Gbit NICs. When there is a service, eg a CIFS file service, when doing exact one transfer over the 5585-SSP20 what is the limit on the flow.&nbsp;</P> Mon, 28 Jan 2019 12:25:39 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3789325#M7444 kerstin-534 2019-01-28T12:25:39Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3789333#M7449 <P>I think the best answer we could get is from cisco tac.</P> Mon, 28 Jan 2019 12:39:27 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3789333#M7449 Sheraz.Salim 2019-01-28T12:39:27Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3789626#M7451 <P>Are you using the Firepower module? If so, the limiting factor will be that a given flow (5-tuple) is tied to a single Snort process.&nbsp;A Snort process is limited to something like 500 Mbps per instance.</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200420-Processing-of-Single-Stream-Large-Sessio.html#anc6" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200420-Processing-of-Single-Stream-Large-Sessio.html#anc6</A></P> Mon, 28 Jan 2019 17:30:49 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3789626#M7451 Marvin Rhoads 2019-01-28T17:30:49Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3790138#M7454 <P>No, without Firepower. Simple one TCP connection through ASA in the fastest path.</P> Tue, 29 Jan 2019 08:41:25 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3790138#M7454 kerstin-534 2019-01-29T08:41:25Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3790160#M7457 <P>yes it will be in fastest path if it is in stateful inspection entry.</P> Tue, 29 Jan 2019 09:09:46 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3790160#M7457 Sheraz.Salim 2019-01-29T09:09:46Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3791056#M7459 <P>I asked Andrew Ossipov directly at Cisco Live Barcelona today.</P> <P>&nbsp;</P> <P>He told me that on an ASA 5585-X (non-Firepower), the single flow throughput limit is 3-4 Gbps (TCP) or 6-8 Gbps (UDP).</P> Wed, 30 Jan 2019 10:25:31 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3791056#M7459 Marvin Rhoads 2019-01-30T10:25:31Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3791057#M7460 <P>nice one Marvin thanks.</P> Wed, 30 Jan 2019 10:26:20 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3791057#M7460 Sheraz.Salim 2019-01-30T10:26:20Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3791069#M7463 <P>thank you, Marvin</P> Wed, 30 Jan 2019 10:36:37 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/3791069#M7463 kerstin-534 2019-01-30T10:36:37Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/4557630#M1087603 <P>We are opening up a Case with Cisco TAC shortly.&nbsp; We did some performance testing on single nuttcp flows with the Cisco 5585-X and got limited to 2.9 Gb/s for a single TCP Flow.&nbsp;&nbsp; Please advise on your reference on (non-Firepower).&nbsp; We have Model ASA5585-SSP-60 running 9.8(4)40.&nbsp;&nbsp; The SPEC sheet for the 5585-X is 20 Gbps for NON-VPN multi protocol for total throughput , so its odd that a single flow is limited to 2.9Gbps.</P><P>&nbsp;</P><P>Thanks in advance.</P><P>&nbsp;</P> Tue, 22 Feb 2022 22:04:18 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/4557630#M1087603 netadmin4 2022-02-22T22:04:18Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/4557755#M1087606 <P>As I noted in my posting from 30 January 2019, the expected maximum throughput for a single TCP session is 3-4 Gbps. So, if you are getting 2.9 Gbps, I wouldn't expect any more than that. The 20 Gbps number is the expected maximum across multiple sessions/flows, TCP and UDP, from multiple hosts to multiple hosts.</P> Wed, 23 Feb 2022 07:13:09 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/4557755#M1087606 Marvin Rhoads 2022-02-23T07:13:09Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/4560800#M1087761 <P>Marvin,</P><P>&nbsp;</P><P>Thanks for the response on this.&nbsp; The Cisco TAC didn't provide any definitive SPECS for the ASA 5585X-SSP-60 hardware yet.&nbsp; However, we tested our new FPR9K with SM-56 which should be capable of 10 Gbps on single Flow and only got 6 Gbps.&nbsp; On further review we found that the MSS without it being properly tuned/configured for Jumbo frames is limited to 1380 (1368).&nbsp; By setting it on the FPR9k via the command: sysopt connection tcpmss 0, it allowed a higher MSS of 8948 to take advantage of our 9K Jumbo Frames MTU. We then got over 9 Gbps on the FPR9K.&nbsp; Setting the same sysopt command on the 5585-X with SSP-60&nbsp; it then boosted the single flow performance to 8 Gbps. All tested with the Nuttcp tool.&nbsp; <A href="https://www.nuttcp.net/Welcome%20Page.html" target="_blank">https://www.nuttcp.net/Welcome%20Page.html</A> and Linux servers with 10Gb NICs.</P><P>&nbsp;</P><P>V/R</P><P>&nbsp;</P> Mon, 28 Feb 2022 15:30:05 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/4560800#M1087761 netadmin4 2022-02-28T15:30:05Z https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/4560801#M1087762 <P>Marvin,</P><P>&nbsp;</P><P>Thanks for the response on this.&nbsp; The Cisco TAC didn't provide any definitive SPECS for the ASA 5585X-SSP-60 hardware yet.&nbsp; However, we tested our new FPR9K with SM-56 which should be capable of 10 Gbps on single Flow and only got 6 Gbps.&nbsp; On further review we found that the MSS without it being properly tuned/configured for Jumbo frames is limited to 1380 (1368).&nbsp; By setting it on the FPR9k via the command: sysopt connection tcpmss 0, it allowed a higher MSS of 8948 to take advantage of our 9K Jumbo Frames MTU. We then got over 9 Gbps on the FPR9K.&nbsp; Setting the same sysopt command on the 5585-X with SSP-60&nbsp; it then boosted the single flow performance to 8 Gbps. All tested with the Nuttcp tool.&nbsp; <A href="https://www.nuttcp.net/Welcome%20Page.html" target="_blank" rel="nofollow noopener noreferrer">https://www.nuttcp.net/Welcome%20Page.html</A> and Linux servers with 10Gb NICs.</P><P>&nbsp;</P><P>V/R</P> Mon, 28 Feb 2022 15:30:51 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower-throughput-per-flow/m-p/4560801#M1087762 netadmin4 2022-02-28T15:30:51Z