Re: ASA FP2130 Performance Issue

latenaite2011 · ‎05-20-2019

Good afternoon,

We were running a speedtest performance testing and were getting only 500MB download and 360MB upload on a 1GB download/1GB upload going through the ASA. The is behind a Checkpoint firewall.

I am just curious what would cause such as low performance. Without the ASA/FP 2130, we're getting closed to 890MB upload /905MB download.

We have no features enabled on the Firepower 2130 except on the ASA and we have no NAT enabled on the ASA. Note that the ASA the FTP2130 running in ASA code only.

Thanks,

LN

Marvin Rhoads · ‎05-20-2019

Single flow speedtests can often report lower than expected results, both on ASA and Firepower/Snort. Have you tried a multiple flow alternative?

latenaite2011 · ‎05-31-2019

Hi Marin,

Thank you for your reply.

I tested this with multi-thread and that improved just a bit but still
getting less than 600MB throughput out of a 1GB Internet bandwidth.

Do let me know if you have any other suggestions.

Thank you!

latenaite2011 · ‎06-08-2019

Hi Marvin,

Ok, at one point, we were getting about 800MB using multi-thread from speedtest but we used iperf to iperf.he.net and we're only seeing about 560-570MB of throughput (see below). Do why know this is much lowered and we're not getting 800MB?

test$ ./iperf3 4/iperf3 -c iperf.he.net

Connecting to host iperf.he.net, port 5201

[ 6] local x.x.x.x port 58676 connected to 216.218.227.10 port 5201

[ ID] Interval Transfer Bandwidth

[ 6] 0.00-1.00 sec 67.8 MBytes 569 Mbits/sec

[ 6] 1.00-2.00 sec 66.8 MBytes 560 Mbits/sec

[ 6] 2.00-3.00 sec 67.1 MBytes 563 Mbits/sec

[ 6] 3.00-4.00 sec 66.7 MBytes 560 Mbits/sec

[ 6] 4.00-5.00 sec 66.7 MBytes 560 Mbits/sec

[ 6] 5.00-6.00 sec 66.9 MBytes 561 Mbits/sec

[ 6] 6.00-7.00 sec 67.0 MBytes 562 Mbits/sec

[ 6] 7.00-8.00 sec 67.1 MBytes 563 Mbits/sec

[ 6] 8.00-9.00 sec 66.9 MBytes 561 Mbits/sec

[ 6] 9.00-10.00 sec 66.7 MBytes 559 Mbits/sec

- - - - - - - - - - - - - - - - - - - - - - - - -

[ ID] Interval Transfer Bandwidth

[ 6] 0.00-10.00 sec 670 MBytes 562 Mbits/sec sender

[ 6] 0.00-10.00 sec 669 MBytes 561 Mbits/sec receiver

Thank you!

Marvin Rhoads · ‎06-08-2019

There are many many factors that can influence observed performance through any device to an Internet-based site. Answering why a particular test done from your site provides one number vs another one is nearly impossible. Only in a controlled lab environment with purpose built testing equipment such as a Spirent rig can you obtain an accurate reading of the device's true maximum capability.

More importantly, what are you trying to achieve and is the firewall hindering you in that goal?

latenaite2011 · ‎06-08-2019

Hi Marvin,

Thank you for the prompt reply.

We ran a similar test through a Checkpoint firewall and we're getting 800MB of throughput. The Checkpoint is over 10years old and just wondering if there is a sizing issue with the ASA FD2130. We were thinking of replacing the Checkpoint with the FD2130 but if it can't handle more than the Checkpoint, we may need to look at a higher model.

thank you!

Marvin Rhoads · ‎06-09-2019

The Firepower 2130 is certainly capable of handling multiple Gbps throughput, especially running ASA image. Even the 2110 should handle > 1 Gbps.

latenaite2011 · ‎06-09-2019

Yes Marvin, understood but why does the ipef3 to iperf.he.net shows only 560MB max throughput?

latenaite2011 · ‎06-09-2019

Yes Marvin, understood but why does the ipef3 to iperf(dot)he(dot)net shows only 560MB max throughput?

Marvin Rhoads · ‎06-09-2019

Sorry but I cannot answer that question.

MTJB · ‎08-02-2023

sorry to re awaken an old thread but if anyone ever got to the bottom of this id like to hear more.

i have a FPR2130 running ASA code 9.16(4)19

traffic through the box seems to be getting restricted to around 700mb per session on a point to point internal iperf between 2 laptops on 2 physical L3 ports.

no other traffic on these ports