I know with other firewall devices when you are looking at rated throughput, that is an aggregate amount of data spread across all of the system's CPU cores.  When you do a typical speedtest, that is a single threaded process so with all of the security scanning of the data, the single core is fully utilized and gives you a much lower test speed than what you expect.  So in your instance only one user will see the 48meg test, but you could potentially start 20 of those tests at the same exact time, and should be able to get close to your ISP's rated speeds. Being that you are not doing any scanning on outbound traffic, that is why you see the 900meg upload.  Unless you completely disable all of the IPS/AMP features, you'll probably never see a full speed test on a single computer, but that does not mean there is any problems.  

Bob, I'm seeing what seems to be a very similar issue on my 2120, but it's affecting my uploads not downloads.  Same as you, 1 Gb circuit.  I get 900+ Mbps up and down if I fastpath the flow through the 2120.  But without any fastpath in place, I can get 800+ down and only 2 Mbps up.  Yes, 2...not a typo.

I opened a TAC ticket earlier today.  Hopefully someone can help troubleshoot and identify what's happening.

I've tried a variety of new configurations to try to isolate it... No IPS policy, no AMP/File Policy, no SSL Inspect, No TID, "trust" instead of "allow" in my ACP for the flow from my test client...even with all of those things turned "off", the only way I'm getting over 2 Mbps upload is with a fastpath in place.

Hi,

My company is in the beginning of migrating from a pair of 5515-X ASA's in HA mode to an FMC controlled pair of NGFW 2110 also.  One of our decisions is whether to run in plain ASA without some of the additional security features or go fully implemented for all security features.  Besides the fact that migrating the configuration from the ASA's to the 2110 is more than a little challenging, is that we are also concerned about throughput and overall performance if we go full security FMC+FTD model.  We want the network attack vectors blocked to its best ability but if throughput is severely degraded as you mention above, we would be forced to rollback to the 5515-X which are EOL of course.

I don't see anything that is reassuring on this page yet, just too new of course.

Any advice for our migration (including migrating the configuration)?

Thanks

Jack - I'll just add that the performance/throughput problem I'm seeing now on the 2120 is not something that has always been there.  I don't know when it started for us, because we don't have anything in place to regularly monitor upload speeds, and didn't receive any complaints from users in this environment about things being slow.  I only noticed it now because I was testing a new circuit upstream from the FTD and initially thought the that ISP didn't provision it correctly, but identified the bottleneck at the FTD after working back to it from the handoff.

Last time I did any speed tests like this would have been maybe 6 months ago, and things were more in-line with what I expect with IPS, AMP, SI, TID, SSL Inspect, etc all running... was getting hundreds of Mbps (don't remember exactly...probably 400-500).

So I don't know if a bug was introduced with new FTD code, or something else has changed.  And so far I'm getting no useful feedback from TAC.

We have not been able to resolve this issue still.  Opened a TAC case and uploaded the general troubleshoot but in the end was told the issue is not the FTD from what they (TAC) see?  Our upload speeds are between 600 and 900 meg but download speeds are 100 meg at best.  We tried to fast path the traffic with very little change to our download speeds.  Our next step is to bring in a tech contractor to put a laptop on the inside FTD interface direct and test to the Internet.  We did this from our Internet switch on the outside and are seeing speeds close to a gig up and down.  Will update this as soon as we complete testing from a directly connected laptop on the FTD.