Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1383
Views
15
Helpful
5
Replies

ASA5506X Performance Capabilities

Go to solution
northtexasnetworks
Level 1
Level 1

‎02-12-2019 02:50 PM - edited ‎02-21-2020 08:48 AM

Hello,

We have an ASA5506X running 9.6.1.

We are currently running a VPN tunnel using: Ikev1 with AES-256, SHA1, and DH 2, and it runs very well.

We are considering changing the config to use: ikev2 with AES-256, SHA256, and DH20.

 

Can anyone tell me if the CPU has enough performance to support this?

 

Your help is appreciated.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to northtexasnetworks

‎02-13-2019 12:14 AM

X series is the new model, so you expected to be higher performance.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎02-12-2019 02:59 PM

Hi,
Yes, it should be fine, if you have the same number of VPN tunnels you currently have when using IKEv1....but if you plan on terminating additional tunnels on the 5506, that may have an impact at somepoint.

HTH

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-12-2019 03:01 PM

I do not see issue here..how many tunnel we are considering here ? 

 

here is the reference :

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn_ike.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
northtexasnetworks
Level 1
Level 1
In response to balaji.bandi

‎02-12-2019 03:50 PM

We only have 2 active VPN tunnels running.  Someone told me DH20 is very CPU intensive may cause a slow down on the lower end ASA like the 5506.  Thanks for your help.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to northtexasnetworks

‎02-13-2019 12:14 AM

X series is the new model, so you expected to be higher performance.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP
In response to northtexasnetworks

‎02-13-2019 08:33 AM

DH (diffe hellman) is only run a couple of times a day (depending on the lifetime timers) and with only 2 tunnels that's probably not going to cause you an issue. I assume you are not currently experiencing performance issues...so I would imagine you will be fine.

 

This cisco doc, albeit it is discussing IOS IKEv2, I assume this still applies on ASA, recommended DH19 as the preferred DH group when using IKEv2, it's efficient and secure.

 

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card