cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2071
Views
0
Helpful
5
Replies

Maximum sessions ASA 5585-X CX SSP-10

samuelsancho
Level 1
Level 1

Hi, I've a doubt about the maximum concurrent connections in ASA 5585-X with SSP10 CX module, from data sheet it seems that:

-ASA 5585-X --> maximum concurrent connections 1.000.000

-ASA 5585-X CX SSP-10 with 8GE, DES --> maximum concurrent sessions 500.000

BUT, what if I don't send all sessions to CX module??, could I use  more than 500.000 concurrent sessions in ASA 5585-X whenever SSP-10 module doesn't exceed 500.000??


Thanks in advance

Samuel

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Sadly I don't remember what was mentioned about this at Cisco Live! 2013 London. I seem to recal that they mentioned that this wouldnt be a problem but as I said I'm not 100% sure on this.

The only thing related to this that I found on Cisco site with a fast look was this in the Q&A section.

Performance

Q. How about performance? Will the CX blade slow down my ASA firewall?

A. As with any device performing deep packet inspection, performance will  be lower than with devices that only route traffic or perform stateful  inspection. However, all ASA CX devices will provide gigabit and  multigigabit throughput levels. Unlike competitive offerings, which  require application control to be continuously active for all the  traffic, ASA CX does not create any such restriction. Administrators can  determine which traffic will be inspected by ASA CX, and continue to  use Layer 3/Layer 4 rules where deep packet inspection is not required.  This capability provides the flexibility for servers requiring  low-latency performance to be exempted from deep packet inspection and  still benefit from ASA stateful inspection. As a result, much more  efficient and higher-performance firewalling is possible, compared with  only creating application-based rules.

We will be having some people on a course related to this in the next week and I will be seing a Cisco employee about the ASA CX later this month.

- Jouni

Thank you Jouni. Your anwser helps me and It will be very useful for me if you have more information regarding this question.

Best Regards

Samuel

Update:

I made a question last week to people from Cisco, and they confirm that whenever you don't exceed the 500.000 connections in ASA CX module you can have more than 500.000 connections in ASA module.

I'm not totally sure but this was the answer.

Regards

Samuel

Hi,

Sorry Samuel,

I forgot to answer this after the meeting with Cisco.

The answer I got was that if you have a configuration that forwards some certain networks traffic to the ASA CX and the ASA CX connection limit is reached THEN new connections simply wont be passed. There doesnt seem to be any mechanism that would automatically let traffic pass without going to CX if its connection limit is hit.

I was told that basicly to avoid these situations you would have to manually limit the traffic assigned to the ASA CX so that it wouldnt reach its concurrent connection limit.

I am not sure if this will be something that will be changed. To be honest I cant give any answers myself since I'm still waiting for the first ASA CX so I can start playing around with its configurations

- Jouni

Thanks Jouni.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: