Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
547
Views
0
Helpful
2
Replies

ASA 5520 real world performances

pascalfr0
Level 1
Level 1

‎12-07-2015 12:28 PM - edited ‎03-12-2019 12:00 AM

Hi,

I just got a new job, and inherited a network architecture where ASA5520 are facing Internet.

Network load is very low for now (<10M), but could increase a lot as we will host a new application that will be accessed by many new customers (I asked for traffic projections, but still waiting for them...).

Anyway, I'm concerned about ASA5520 performances and I can't find any solid data about how these boxes behave under load :

- datasheets says 450M of firewalling traffic under "optimal conditions" (i guess that means 1500B packets, no rules, no nat, no ips...),

- I found an old (2005) Miercom test, the test rates the asa5520 at 200Mbps for 4k HTTP objects with antivirus "enabled" (not bad, but 4k HTTP objects mean a lot of 1500 bytes packets...).

In our configuration, ASA nat all incoming trafic from Internet (Dest Nat : they replace incoming datagrams destination public adresses with private addresses of DMZ/internal load balancers). We have only a few, very simple, ACL. Incoming trafic is http/https only.

For now, I made a quick math based on datasheet specs :

- 450M w/1500B packets -> around 100M w/IMIX packets (IMIX average packets size =380B L1).

So, I assumed 5520 should be able to sustain 100Mb/s of incoming traffic in our configuration. I didn't take NAT into account (though I fear it could decrease perfs further...).

I don't know whether the ASA5520 is a cpu based platform or a asic based plateform (AFAIK asics platform should be little affected by packet size or basic security processing as NAT, while cpu based platform could suffer a lot with smaller packets or any kind of processing requiring packet rewriting).

Does if feel safe to consider this platform as a 100M box in my environment ?

Anyone have experience with this platform and the traffic it can really sustain ?

Labels:
0 Helpful
2 Replies 2

Ruslan Moldaliev
Level 1
Level 1

‎12-07-2015 03:26 PM

hi there,

we have ASA 5510 and its throughput in datasheet is 300 Mbit if I remember correctly. behind the firewall are: up to 300 users (many with their own WiFi devices), a dozen of servers with different VMs, few S2S VPNs, RA VPN for teleworkers, around of hundred of ACL lines and NAT rules and ASA is performing pretty well - near 50-60% of RAM and CPU. the peak throughput was 250-260 Mbit with growing number of packet drops at the interfaces.

hope this information will be useful to you.

0 Helpful

mvsheik123
Level 7
Level 7
In response to Ruslan Moldaliev

‎12-07-2015 05:09 PM

Hello,

My 2 cents.. You also need to consider your internet bandwidth and simulatneous connections that will be established to your new application from outside. Even 5510 works well for 100Meg. As long as other factors addressed, 5520 sounds suffice for your requirement.

hth

MS 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card