Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
779
Views
0
Helpful
1
Replies

ASA Firewall Throughput

Go to solution
Asa Hoaglund
Level 1
Level 1

ā€Ž01-04-2017 07:45 AM - edited ā€Ž03-12-2019 01:44 AM

Hello,

I'm trying to determine as closely as possible the throughput cap on our ASA 5525 with the services we have currently enabled on it.

ANY Connect VPN (40 users at any-given time)

Firepower (1000 users going through the Sourcefire Module)

I found this doc, but I need something more geared towards our environment. Any ideas where I can get this kind of information?

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/data-sheet-c78-729807.html#_ftnref1

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

ā€Ž01-04-2017 11:19 AM

The sum of all the crypto, in and out, with a reasonable packet size mix can get to 300Mb/s.  So if users mostly pulled 200Mb/s and pushed 100Mb/s, that would take you to your 300Mb/s limit.

Firepower throughput varies depending on weather it is dealing with an attack or not, and the type of traffic flowing through it.  You might get 600Mbs to 1Gb/s.

Some flows, like a large file copy, will go reasonably fast.  On the other hand, something generating lots of small http requests will use a lot more resources and be slower.

Here is another more up to date table fronm the model comparison tool.  I have also added the model below (5516) and the model above (5545).

https://apps.cisco.com/ccw/cpc/guest/compare/ucsComparePage?selectedValues=model_asa5516x,model_asa5525x,model_asa5545x,&productFlags=N&callbackComponents=series_asa5500

If you are running into throughput issues sometimes the cheapest approach is to offload all the VPNs onto a dedicated firewall.  A 5516 would probably be a good size for you, and not too expensive.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

ā€Ž01-04-2017 11:19 AM

The sum of all the crypto, in and out, with a reasonable packet size mix can get to 300Mb/s.  So if users mostly pulled 200Mb/s and pushed 100Mb/s, that would take you to your 300Mb/s limit.

Firepower throughput varies depending on weather it is dealing with an attack or not, and the type of traffic flowing through it.  You might get 600Mbs to 1Gb/s.

Some flows, like a large file copy, will go reasonably fast.  On the other hand, something generating lots of small http requests will use a lot more resources and be slower.

Here is another more up to date table fronm the model comparison tool.  I have also added the model below (5516) and the model above (5545).

https://apps.cisco.com/ccw/cpc/guest/compare/ucsComparePage?selectedValues=model_asa5516x,model_asa5525x,model_asa5545x,&productFlags=N&callbackComponents=series_asa5500

If you are running into throughput issues sometimes the cheapest approach is to offload all the VPNs onto a dedicated firewall.  A 5516 would probably be a good size for you, and not too expensive.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card