ASA Throughput

NikkiAhmadi · ‎03-04-2013

I'm new to the Networking world and am trying to establish a base for my network. I'm running ASA 5510 8.4(4), how can I measrue throughput ?

In the ASDM, there is a nice feature for CPU, and the command show CLI also provides good info about CPU, but how can I get the throughput on a port basis ?

jocamare · ‎03-04-2013

The "interface graph" option on the monitoring ASDM homepage provides real-time monitoring of bandwidth usage for each interface on the security appliance. Bandwidth usage is displayed for incoming and outgoing communications. Users can view packet rates, counts, and errors; bit, byte, and collision counts; and more

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/mon_ifc.html#wp1038508

Jouni Forss · ‎03-04-2013

Hi,

The CLI of the ASA has some basic commands to show the traffic amount

Here are some of those commands but also some other common commands when checking connections and NAT related information

show interface detail
- Shows interface statistics
show traffic
- Shows inteface statistics but more related to traffic amounts
show perfmon
- Shows some statistics on the rate of connections, translations etc
show xlate
- Show active NAT translations
show xlate count
- Only shows the amount of active NAT translations
show conn long
- Shows connections active through the ASA.
show conn count
- Only shows the connection count currently on ASA

To be honest the ASDM shows all these statistics pretty clearly and updates the with a certain interval. (Instead of you having to use show commands constantly)

Heres some specs related to your ASA model (and the others) You can see the perfomance specs of the ASA5510 model

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

Hopefully the information has been helpfull

- Jouni

NikkiAhmadi · ‎03-04-2013

Thank you guys!

I do see the interface capturing option, but how can I make it more granular and take stats on a port basis ?! As in the bandwidth on TCP 5300..

Jouni Forss · ‎03-04-2013

Well you can capture certain TCP ports traffic naturally if that is what you mean

For example

access-list CAP-TCP5300 permit tcp any any eq 5300

access-list CAP-TCP5300 permit tcp any eq 5300 any

capture CAP type raw-data access-list CAP-TCP5300 interface buffer 35000000

Show capture on CLI

show capture CAP

Copy capture file to local computer to open with Wireshark

copy /pcap capture:CAP tftp://x.x.x.x/CAP.pcap

I dont think you cant get any better statistics on the actual banwith usage other than what has been suggested. Unless you use SNMP and draw a graph on the interface statistics.

- Jouni

NikkiAhmadi · ‎03-04-2013

Ummm.. I guess that could work.. I didn't look at it that way.. I was hoping to be able to set a time limit on it, like 10 mins or so

jocamare · ‎03-04-2013

If you need to see the top statistics for connections on ASDM you can go to the “Home” section of the same and move to the “Firewall Dashboard” tab.

There you will be able to see a lot of statistics, including top users, services, ports, Access-lists, etc.

NikkiAhmadi · ‎03-04-2013

Thanks Jouni and Jocamara,

Yes.. I can do that but that only shows me the real - time info..

jocamare · ‎03-04-2013

If you want to see past event information, you can configure teh ASA to send SNMP traps.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a13.shtml

https://supportforums.cisco.com/docs/DOC-1295