Solved: ASA 5525-X SFR / Firepower ver 6.0 Performance Impact

Ehsanreza Haghzare · ‎02-04-2016

Hi Guys

Has anyone experienced any performance impact by redirecting traffic to SFR module ver 6.0?

I have two ASA5525-X running SFR version 6.0.0 connected to DC firesight ver 6.0, there is a 100Mb internet circuit on the firewall and not more than 50-80 users behind the firewall and some published online services in DMZ "e.g. Email,Web,etc."

We have & using all the licenses "IPS,URL Filtering,AMP"

After redirecting traffic to SFR module matching any traffic"SFR fail-open", all users are complaining about slow internet connection and delayed emails.

Speedtest shows 10 to 20mb download , when I remove the SFR fail-open command boom everything up/down goes back to 100Mbps .

At first I had Inspection Policies applied to the rules and when I removed them "no rule with inspection enabled" the performance issue still there but the bandwidth issue was slightly better, so I also removed file policies and its now around 30-40Mbps.

Still not good enough but at least email is working fast enough, and its very clear that SFR module is slowing down everything for inspection, even without any inspection and fire policies (I still have some URL filtering and Application filtering ON)

As a test I applied the Inspection rule just to 1 machine and guess what same thing even that machine will get almost nothing out of available bandwidth at the outside interface of firewall.

Any help or idea what is causing this and how to address would be highly appreciated.

Thanks

Shawn

kvaldelo · ‎02-04-2016

There is something called intelligent application bypass please refer to the following link to have a deeper understanding of how it works

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Access_Control_Using_Intelligent_Application_Bypass.pdf

View solution in original post

ilukeberry · ‎02-04-2016

Which ASA OS are you running?

Ehsanreza Haghzare · ‎02-04-2016

ilukeberry

I am running 9.2(4) on ASAs

ilukeberry · ‎02-04-2016

You need at least 9.4(2) or 9.5(1) to run FirePOWER 6.0.0.x stuff. Check FirePOWER 6.0 release notes for compatibility requirements.

Ehsanreza Haghzare · ‎02-04-2016

any idea if that fix the bandwidth issue ? I am afraid of hitting more bugs by going to 9.4 or 9.5 , lot of not so good reviews on those versions

ilukeberry · ‎02-04-2016

Hi

Suggest you upgrade to officially supported ASA OS by FirePOWER 6.0

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/6001/relnotes/firepower-system-release-notes-version-6001.html#81783

You can still roll back to 9.2(4) if you hit any bugs. I'm currently running ASA OS 9.5(2) with FirePOWER 6.0.0.1 combo on 100mbps pipe without problems. (5515-X)

Regards

kvaldelo · ‎02-04-2016

Shawn,

I think this documentation might be helpful to you:

https://tools.cisco.com/bugsearch/bug/CSCuw19725/?reffering_site=dumpcr

Ehsanreza Haghzare · ‎02-04-2016

Hi kvaldelo

Thanks for the bug ID, any idea how should I create a TRUST rule base on the file size ?

I know I can make a file policy base on file type or malware type.

Beside, this is more sounds like a inspection issue where even if put a simple URL filtering or Application filtering rule ( no file or IPS) it would impact the bandwidth .

thought?

kvaldelo · ‎02-04-2016

There is something called intelligent application bypass please refer to the following link to have a deeper understanding of how it works

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Access_Control_Using_Intelligent_Application_Bypass.pdf

Pacerfan9_2 · ‎04-03-2016

This sounds promising but in my testing I am getting very inconsistent results. I have tried many different values, what has worked for you?

I have an asymmetrical connection, gigabit down and 25 mbps up and when testing my downstream throughput is around 75 mbps when using speedtest.net or iperf. If i no class SFR from my firewall i can get about 925 mbps with speedtest.net and 300 with iperf. I would like to configure the policy so if my flow rate exceeds 20 mbps that it would use the intelligent access bypass.

Below is an example of a IAB Settings that I tried.

State On

Performance Sample Interval 1

Bypassible Applications and Filters All Application Protocol, Client & Web Applications

Packet Latency 5

Flow Velocity 2500

With these settings IAB is not impacting my performance testing. If I reduce Flow Velocity to 100 I see an impact, if I reduce to 1 I see a bigger impact.

I am testing with a 5506 running 9.5.2 and FirePOWER 6.0.1 and I understand it is not designed to handle a gigabit connection, however I think I should be able to get better performance than what I am seeing.

Ehsanreza Haghzare · ‎02-09-2016

kvaldelo , thanks for your help IAB config fixed the bandwidth issue.

Although I am not feeling good with letting big files or large stream of flows go or Trust but its a reasonable scarify to save network performance.

I couldn't find an optimum or kind of best practice tuning for IAB config so I configured it to Trust whatever flow larger than 10Mb/s .

Thanks a lot

Shawn