yes, the Cisco Live with Andrew Ossipov does some clarification, the question is throughput per flow. So the box have a data-sheet throughput of 5 Gbps and 10Gbit NICs. When there is a service, eg a CIFS file service, when doing exact one transfer over the 5585-SSP20 what is the limit on the flow. 

I think the best answer we could get is from cisco tac.

Are you using the Firepower module? If so, the limiting factor will be that a given flow (5-tuple) is tied to a single Snort process. A Snort process is limited to something like 500 Mbps per instance.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200420-Processing-of-Single-Stream-Large-Sessio.html#anc6

No, without Firepower. Simple one TCP connection through ASA in the fastest path.

yes it will be in fastest path if it is in stateful inspection entry.

nice one Marvin thanks.

thank you, Marvin

We are opening up a Case with Cisco TAC shortly.  We did some performance testing on single nuttcp flows with the Cisco 5585-X and got limited to 2.9 Gb/s for a single TCP Flow.   Please advise on your reference on (non-Firepower).  We have Model ASA5585-SSP-60 running 9.8(4)40.   The SPEC sheet for the 5585-X is 20 Gbps for NON-VPN multi protocol for total throughput , so its odd that a single flow is limited to 2.9Gbps.

Thanks in advance.

As I noted in my posting from 30 January 2019, the expected maximum throughput for a single TCP session is 3-4 Gbps. So, if you are getting 2.9 Gbps, I wouldn't expect any more than that. The 20 Gbps number is the expected maximum across multiple sessions/flows, TCP and UDP, from multiple hosts to multiple hosts.

Marvin,

Thanks for the response on this.  The Cisco TAC didn't provide any definitive SPECS for the ASA 5585X-SSP-60 hardware yet.  However, we tested our new FPR9K with SM-56 which should be capable of 10 Gbps on single Flow and only got 6 Gbps.  On further review we found that the MSS without it being properly tuned/configured for Jumbo frames is limited to 1380 (1368).  By setting it on the FPR9k via the command: sysopt connection tcpmss 0, it allowed a higher MSS of 8948 to take advantage of our 9K Jumbo Frames MTU. We then got over 9 Gbps on the FPR9K.  Setting the same sysopt command on the 5585-X with SSP-60  it then boosted the single flow performance to 8 Gbps. All tested with the Nuttcp tool.  https://www.nuttcp.net/Welcome%20Page.html and Linux servers with 10Gb NICs.

V/R

Marvin,

Thanks for the response on this.  The Cisco TAC didn't provide any definitive SPECS for the ASA 5585X-SSP-60 hardware yet.  However, we tested our new FPR9K with SM-56 which should be capable of 10 Gbps on single Flow and only got 6 Gbps.  On further review we found that the MSS without it being properly tuned/configured for Jumbo frames is limited to 1380 (1368).  By setting it on the FPR9k via the command: sysopt connection tcpmss 0, it allowed a higher MSS of 8948 to take advantage of our 9K Jumbo Frames MTU. We then got over 9 Gbps on the FPR9K.  Setting the same sysopt command on the 5585-X with SSP-60  it then boosted the single flow performance to 8 Gbps. All tested with the Nuttcp tool.  https://www.nuttcp.net/Welcome%20Page.html and Linux servers with 10Gb NICs.

V/R