03-27-2019 08:49 AM
Hi,
We are considering increasing our provider bandwidth to 1Gbps at one of our locations, but I'm not sure if our ASA 5516-x can even process that much. More specifically, I'm receiving conflicting reports about how much bandwidth an ASA 5516-x can handle. I see that it lists its max stateful inspection throughput as 1.8Gpbs, its Stateful inspection throughput (multiprotocol2) as 900 Mbps, its Maximum application visibility and control (AVC) throughput as 850 Mbps, its Maximum AVC and NGIPS throughput as 600Mbps, its Application control (AVC) or NGIPS sizing throughput [440 byte HTTP] as 500 Mbps, and its Maximum 3DES/AES VPN throughput as 250Mbps.
So which is it? What should be considered as the acceptable max capacity of an ASA 5516-x for an Internet circuit?
Solved! Go to Solution.
07-04-2019 07:30 PM
A 5516-X is at or beyond its ability to transfer traffic when you are expecting 1 Gbps throughput. Yes, you may attain it under certain conditions and without certain features active, but you probably will be frustrated if you expect that level of throughput consistently.
If you were my customer I'd recommend you to a higher performing appliance. If you're able to wait a bit then the just-released Firepower 1120 would be a good option. It's FTD-only right now and ASA software support will be coming in the fall. 1.5 Gbps of throughput with all of the NGFW/NGIPS features active.
That said, the 5516-X will work OK - it just won't give you the maximum ability to fill your upgraded circuit.
07-04-2019 05:21 PM - edited 07-04-2019 05:22 PM
Hi,
It depends what you will be using on the ASA. So for example, if your location will be using ASA as state-full firewall then you will be getting 900 Mbps - 1.8 Gbps which will be fine.
If you enable IPS on all the traffic traversing the firewall then you can get throughput upto 600 Mbps overall.
And lets say, you are using Statefull inspection + IPS/AVC and decided to configure IPSEC VPNs, then your non-VPN traffic will be having maximum throughput support upto 600 and VPN users will be 250 Mbps.
07-04-2019 07:30 PM
A 5516-X is at or beyond its ability to transfer traffic when you are expecting 1 Gbps throughput. Yes, you may attain it under certain conditions and without certain features active, but you probably will be frustrated if you expect that level of throughput consistently.
If you were my customer I'd recommend you to a higher performing appliance. If you're able to wait a bit then the just-released Firepower 1120 would be a good option. It's FTD-only right now and ASA software support will be coming in the fall. 1.5 Gbps of throughput with all of the NGFW/NGIPS features active.
That said, the 5516-X will work OK - it just won't give you the maximum ability to fill your upgraded circuit.
08-25-2022 08:01 AM
Hi Marvin,
Is it correct to say that we have a max throughput of 250 Mbps for a site to site VPN tunnel when using 5516-X?
thanks in advance for your response.
08-25-2022 08:13 AM
@ajc the cisco datasheet confirms the ASA 5516 supports up to 250Mbps IPSec VPN performance.
02-07-2023 05:52 PM
Hi Rob,
it is my understanding that SNORT tech only applies to appliances running firepower software NOT ASA. We are running IPerf which is considered an elephant flow so a firepower device would not apply all the snort processes to that flow (meaning all the CPU of the apppliance each one running 1 snort process). So if the appliance is rated at 10 Gbps and it has 20 instances of snort (CPU's) then there is a max throughput of 500 Mbps x snort/cpu. In my case, IPerf would only use 1 snort/cpu with a throughput of 500 Mbps which is not enough.
Based on the previous, IF i configure a FTDv50 or FTDv100 VMware, can I use IAB or Access Control trust rules allowing those elephant flows to pass uninspected, and not to be limited by the single snort instance behavior?. I also understand that this option does not apply to traffic over a Site to Site IPSEC VPN tunnel using FTDv on both sides, please correct me, thanks
02-08-2023 05:51 AM
@ajc not exactly. While you do bypass the Snort limitation when you use a prefilter rule (or potentially IAB), there is still an (unpublished) single flow speed limit that any given firewall has. The published throughput specification generally assume an aggregate of traffic across multiple flows.
02-08-2023 06:53 AM - edited 02-08-2023 06:55 AM
Thanks Marvin, the following link explain our situation and we thought that access control rules or IAB would allow us to overcome the single flow speed limit (one snort-cpu correlation) however based in your reply it is not the case.
Large flows (IPerf included) are often related to high use low inspection value traffic for example, backups, database replication, etc. Many of these applications can not be benefited from inspection. In order to avoid issues with large flows, you can identify the large flows and create Access Control trust rules for them. These rules are able to uniquely identify large flows, allow those flows to pass uninspected, and not to be limited by the single snort instance behavior.
02-08-2023 07:01 AM
You do indeed bypass the Snort single instance limitation as the document you cited describes.
But, even for a legacy ASA with no Snort at all, the throughput of a single flow does not equal the published throughput of the appliance. The same applies to an FTD appliance when Snort is altogether bypassed by a prefilter rule with Fastpath action. In that case it uses strictly the LINA subsystem (Linux on ASA) to process the flow.
02-08-2023 07:05 AM
thanks for the clarification.
02-13-2023 01:16 PM
Hi Marvin,
For a legacy ASA with no snort, what would be the throughput of a single flow? thanks in advance for your reply.
02-14-2023 04:56 AM
Single flow throughput is not published by Cisco (nor by any firewall vendors as far as I know). If they did so, the competition would seize that figure to demonstrate their superiority (despite not publishing the figure themselves).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide