05-20-2019 04:26 PM - edited 02-21-2020 09:09 AM
Good afternoon,
We were running a speedtest performance testing and were getting only 500MB download and 360MB upload on a 1GB download/1GB upload going through the ASA. The is behind a Checkpoint firewall.
I am just curious what would cause such as low performance. Without the ASA/FP 2130, we're getting closed to 890MB upload /905MB download.
We have no features enabled on the Firepower 2130 except on the ASA and we have no NAT enabled on the ASA. Note that the ASA the FTP2130 running in ASA code only.
Thanks,
LN
05-20-2019 08:11 PM
Single flow speedtests can often report lower than expected results, both on ASA and Firepower/Snort. Have you tried a multiple flow alternative?
05-31-2019 05:44 PM
06-08-2019 07:54 PM
Hi Marvin,
test$ ./iperf3 4/iperf3 -c iperf.he.net
Connecting to host iperf.he.net, port 5201
[ 6] local x.x.x.x port 58676 connected to 216.218.227.10 port 5201
[ ID] Interval Transfer Bandwidth
[ 6] 0.00-1.00 sec 67.8 MBytes 569 Mbits/sec
[ 6] 1.00-2.00 sec 66.8 MBytes 560 Mbits/sec
[ 6] 2.00-3.00 sec 67.1 MBytes 563 Mbits/sec
[ 6] 3.00-4.00 sec 66.7 MBytes 560 Mbits/sec
[ 6] 4.00-5.00 sec 66.7 MBytes 560 Mbits/sec
[ 6] 5.00-6.00 sec 66.9 MBytes 561 Mbits/sec
[ 6] 6.00-7.00 sec 67.0 MBytes 562 Mbits/sec
[ 6] 7.00-8.00 sec 67.1 MBytes 563 Mbits/sec
[ 6] 8.00-9.00 sec 66.9 MBytes 561 Mbits/sec
[ 6] 9.00-10.00 sec 66.7 MBytes 559 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 6] 0.00-10.00 sec 670 MBytes 562 Mbits/sec sender
[ 6] 0.00-10.00 sec 669 MBytes 561 Mbits/sec receiver
06-08-2019 08:31 PM
There are many many factors that can influence observed performance through any device to an Internet-based site. Answering why a particular test done from your site provides one number vs another one is nearly impossible. Only in a controlled lab environment with purpose built testing equipment such as a Spirent rig can you obtain an accurate reading of the device's true maximum capability.
More importantly, what are you trying to achieve and is the firewall hindering you in that goal?
06-08-2019 08:45 PM
Hi Marvin,
Thank you for the prompt reply.
We ran a similar test through a Checkpoint firewall and we're getting 800MB of throughput. The Checkpoint is over 10years old and just wondering if there is a sizing issue with the ASA FD2130. We were thinking of replacing the Checkpoint with the FD2130 but if it can't handle more than the Checkpoint, we may need to look at a higher model.
thank you!
06-09-2019 07:41 AM
The Firepower 2130 is certainly capable of handling multiple Gbps throughput, especially running ASA image. Even the 2110 should handle > 1 Gbps.
06-09-2019 08:44 PM
Yes Marvin, understood but why does the ipef3 to iperf.he.net shows only 560MB max throughput?
06-09-2019 08:45 PM
Yes Marvin, understood but why does the ipef3 to iperf(dot)he(dot)net shows only 560MB max throughput?
06-09-2019 11:14 PM
Sorry but I cannot answer that question.
08-02-2023 04:34 AM
sorry to re awaken an old thread but if anyone ever got to the bottom of this id like to hear more.
i have a FPR2130 running ASA code 9.16(4)19
traffic through the box seems to be getting restricted to around 700mb per session on a point to point internal iperf between 2 laptops on 2 physical L3 ports.
no other traffic on these ports
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide