Cisco Community
English
Register
LEARN MORE about Cisco's cybersecurity announcements this week
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


372
Views
0
Helpful
11
Replies
AlexanderVotteler
AlexanderVotteler Beginner
Beginner
‎11-14-2019 01:10 PM
‎11-14-2019 01:10 PM

ASR 1001-X ZBF: low throughput

I configured the zone based firewall and the rules seem to work fine. However, the speeds are really bad. Even when just using pass actions it only reaches 1.5 Gbit/s (with the firewall turned off it reaches 9-10 Gbit/s).

This even happens with very minimal ZBF config. There is an VM-Host connected to the first 10GE interface, the VMs reach 10 Gbit/s when using iperf without ZBF active, after enabling they slow down.

class-map type inspect match-any cmap--test
 match protocol tcp
 match protocol udp
!
policy-map type inspect pmap--test
 class type inspect cmap--test
  inspect
 class class-default
  drop
!
zone security test-in
zone security test-out
zone-pair security in-to-out source test-in destination test-out
 service-policy type inspect pmap--test
!
interface TenGigabitEthernet0/0/0.1
 encapsulation dot1Q 1000
 ip address 192.168.1.1 255.255.255.192
 zone-member security test-in
!
interface TenGigabitEthernet0/0/0.2
 encapsulation dot1Q 2000
 ip address 192.168.0.1 255.255.255.0
 zone-member security test-out

Is there any way to improve ZBF performance?

Labels:
0 Helpful
Reply
11 REPLIES 11
Sheraz.Salim
Sheraz.Salim Rising star
Rising star
‎11-14-2019 01:48 PM
‎11-14-2019 01:48 PM

Re: ASR 1001-X ZBF: low throughput

configuration look good. what image you running on this box?

please do not forget to rate.
0 Helpful
Reply
AlexanderVotteler
AlexanderVotteler Beginner
Beginner
‎11-14-2019 02:03 PM
‎11-14-2019 02:03 PM

Re: ASR 1001-X ZBF: low throughput

I am running asr1001x-universalk9.16.09.04.SPA.bin.

I have AES, 20GE throughput, and 10GE port licenses activated.

0 Helpful
Reply
Leo Laohoo
Hall of Fame Community Legend Leo Laohoo Hall of Fame Community Legend
Hall of Fame Community Legend
‎11-14-2019 02:58 PM
‎11-14-2019 02:58 PM

Re: ASR 1001-X ZBF: low throughput

16.9.4?
In a Notepad, post the complete output to the command "sh license feature" and attach the file.
0 Helpful
Reply
AlexanderVotteler
AlexanderVotteler Beginner
Beginner
‎11-15-2019 12:14 AM
‎11-15-2019 12:14 AM

Re: ASR 1001-X ZBF: low throughput

Yes, it is version 16.9.4. I have attached the output of "sh license feature".

0 Helpful
Reply
Leo Laohoo
Hall of Fame Community Legend Leo Laohoo Hall of Fame Community Legend
Hall of Fame Community Legend
‎11-15-2019 04:38 AM
‎11-15-2019 04:38 AM

Re: ASR 1001-X ZBF: low throughput

@AlexanderVotteler wrote:
firewall                 no           no          no             no       no

What happens if the FW license is enabled?  

0 Helpful
Reply
AlexanderVotteler
AlexanderVotteler Beginner
Beginner
‎11-15-2019 04:50 AM
‎11-15-2019 04:50 AM

Re: ASR 1001-X ZBF: low throughput

What is the command to activate this license?
0 Helpful
Reply
Leo Laohoo
Hall of Fame Community Legend Leo Laohoo Hall of Fame Community Legend
Hall of Fame Community Legend
‎11-15-2019 05:02 AM
‎11-15-2019 05:02 AM

Re: ASR 1001-X ZBF: low throughput

@AlexanderVotteler wrote:
What is the command to activate this license?

NOTE:  Router is running 16.9.X and this equates to Smart Licensing. 

Read this:  Configuring a Cisco Right-To-Use License

You need to activate the evaluation license for the "firewall" feature 

license boot level firewall

and accept the EULA

license accept end user agreement

.  

0 Helpful
Reply
AlexanderVotteler
AlexanderVotteler Beginner
Beginner
‎11-15-2019 05:30 AM
‎11-15-2019 05:30 AM

Re: ASR 1001-X ZBF: low throughput

The command

license boot level firewall

 is not available on my machine. Does Smart licensing imply I won't be able to activate this license unless activating smart licensing? Should I downgrade to 16.6.X allow activating without smart licensing?

Thanks for your help!

0 Helpful
Reply
AlexanderVotteler
AlexanderVotteler Beginner
Beginner
‎11-15-2019 12:35 PM
‎11-15-2019 12:35 PM

Re: ASR 1001-X ZBF: low throughput

I just did some more testing. Using iperf3 a single connection cannot reach more than 1.5 Gbit/s while ZBF is turned on. However, I can start 3 sessions and each of the go above 1 Gbit. It seems single connections are limited, is there a workaround for this issue?

0 Helpful
Reply
Leo Laohoo
Hall of Fame Community Legend Leo Laohoo Hall of Fame Community Legend
Hall of Fame Community Legend
‎11-15-2019 03:14 PM
‎11-15-2019 03:14 PM

Re: ASR 1001-X ZBF: low throughput

Try downgrading to 16.6.X and see if you can enable the eval firewall license.
0 Helpful
Reply
AlexanderVotteler
AlexanderVotteler Beginner
Beginner
‎11-22-2019 10:46 AM
‎11-22-2019 10:46 AM

Re: ASR 1001-X ZBF: low throughput

Downgrading doesn't help as well. The command stays unavailable.

I do not think this is a supported command since the configuration guide you mentioned does only say adventerprise, advipservices and ipbase license levels can be activated.

0 Helpful
Reply
Latest Contents
How to find/get the registration key from FTD
Created by Eahwar34 on 12-06-2019 03:14 AM
0
0
0
0
We are in need of finding registration key used for our FTD , unfortunately we have forget the key and also it is encrypted . How to find the key from FTD ?
ISE My Devices & Sponsor Portal as a User Change Password Po...
Created by Jason Kunst on 12-05-2019 10:24 AM
0
0
0
0
This is to address those customers coming to ISE from ACS or new to ISE that need a password change portal (UCP) What are the licensing requirements for this solution? My Devices - For using the password change with My Devices you need plus licenses as ... view more
WHITEPAPER - Firepower Threat Defense Cloud Management with ...
Created by Marvin Rhoads on 11-29-2019 07:57 PM
0
10
0
10
  Overview   In this paper we will document the configuration and operation of an integrated solution that includes identity management, firewall, cloud-based management, and cloud-based logging. We will use the following Cisco products: Fu... view more
How Does Cisco Defense Orchestrator Manage Firepower Threat ...
Created by suhegade on 11-26-2019 09:06 PM
0
0
0
0
These days everything is in the cloud. We all know that Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. Using Cisco Defense Orchestrator (CDO), you can manage physical or virt... view more
How Does Cisco Defense Orchestrator Manage Adaptive Security...
Created by suhegade on 11-26-2019 09:03 PM
0
10
0
10
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that provides a simple, consistent, and highly secure way of managing security policies on all your ASA devices. CDO helps you optimize your ASA environment by identifying problems wi... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
FusionCharts will render here