Hi Marvin,

Is it correct to say that we have a max throughput of 250 Mbps for a site to site VPN tunnel when using 5516-X?

thanks in advance for your response.

@ajc the cisco datasheet confirms the ASA 5516 supports up to 250Mbps IPSec VPN performance.

https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/datasheet-c78-742475.html

Hi Rob,

it is my understanding that SNORT tech only applies to appliances running firepower software NOT ASA. We are running IPerf which is considered an elephant flow so a firepower device would not apply all the snort processes to that flow (meaning all the CPU of the apppliance each one running 1 snort process). So if the appliance is rated at 10 Gbps and it has 20 instances of snort (CPU's) then there is a max throughput of 500 Mbps x snort/cpu. In my case, IPerf would only use 1 snort/cpu with a throughput of 500 Mbps which is not enough.

Based on the previous, IF i configure a FTDv50 or FTDv100 VMware, can I use IAB or Access Control trust rules allowing those elephant flows to pass uninspected, and not to be limited by the single snort instance behavior?. I also understand that this option does not apply to traffic over a Site to Site IPSEC VPN tunnel using FTDv on both sides, please correct me, thanks

@ajc not exactly. While you do bypass the Snort limitation when you use a prefilter rule (or potentially IAB), there is still an (unpublished) single flow speed limit that any given firewall has. The published throughput specification generally assume an aggregate of traffic across multiple flows.

Thanks Marvin, the following link explain our situation and we thought that access control rules or IAB would allow us to overcome the single flow speed limit (one snort-cpu correlation) however based in your reply it is not the case.

Process Single Stream Large Session (Elephant Flow) by Firepower Services - Cisco

Identify and Trust Large Flows

Large flows (IPerf included) are often related to high use low inspection value traffic for example, backups, database replication, etc. Many of these applications can not be benefited from inspection. In order to avoid issues with large flows, you can identify the large flows and create Access Control trust rules for them. These rules are able to uniquely identify large flows, allow those flows to pass uninspected, and not to be limited by the single snort instance behavior.

You do indeed bypass the Snort single instance limitation as the document you cited describes.

But, even for a legacy ASA with no Snort at all, the throughput of a single flow does not equal the published throughput of the appliance. The same applies to an FTD appliance when Snort is altogether bypassed by a prefilter rule with Fastpath action. In that case it uses strictly the LINA subsystem (Linux on ASA) to process the flow.

thanks for the clarification.

Hi Marvin, 

For a legacy ASA with no snort, what would be the throughput of a single flow? thanks in advance for your reply.

Single flow throughput is not published by Cisco (nor by any firewall vendors as far as I know). If they did so, the competition would seize that figure to demonstrate their superiority (despite not publishing the figure themselves).