Cisco ASA 5508-X with firepower slow internet

peter.matuska1 · ‎10-15-2019

Hi,

customer has this ASA witch firepower enabled he complained that the internet speed is 40/90Mbps. When I setup the firepower to monitor-only, the speed was correct - 600/600Mbps. The access policy has only permit traffic configured (IPS disabled). Do you know the speed which can be handled by 5508? I know that firepower slows it down but 40M on download is too slow.

thank you

Deepak Kumar · ‎10-15-2019

HI,

Can you check your MTU and Interface settings? I advised setting Interface speed manually with full-duplex.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

peter.matuska1 · ‎10-15-2019

Hi,

seems to be correct. And can MTU/speed influence the throughput when the firepower is enabled? Because when firepower is disabled, everything works fine.

Interface GigabitEthernet1/1 "OUTSIDE-1”, is up, line protocol is up

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

MAC address ecbd.1dfe.5acc, MTU 1500

Interface GigabitEthernet1/2 "OUTSIDE-2”, is up, line protocol is up

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

MAC address ecbd.1dfe.5acd, MTU 1500

Interface GigabitEthernet1/3 "INSIDE", is up, line protocol is up

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

MAC address ecbd.1dfe.5ace, MTU 1500

Interface GigabitEthernet1/4 "", is up, line protocol is up

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

MAC address ecbd.1dfe.5acf, MTU not set

Interface GigabitEthernet1/4.72 "DMZ", is up, line protocol is up

MAC address ecbd.1dfe.5acf, MTU 1500

Interface GigabitEthernet1/4.73 "DMZ-PRIVATE", is up, line protocol is up

MAC address ecbd.1dfe.5acf, MTU 1500

Interface GigabitEthernet1/5 "DMZ-to-XY”Z, is up, line protocol is up

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

MAC address ecbd.1dfe.5ad0, MTU 1500

Interface GigabitEthernet1/6 "", is down, line protocol is down

Auto-Duplex, Auto-Speed

MAC address ecbd.1dfe.5ad1, MTU not set

Interface GigabitEthernet1/7 "", is up, line protocol is up

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

Description: Failover Interface

MAC address ecbd.1dfe.5ad2, MTU 1500

Interface GigabitEthernet1/8 "", is up, line protocol is up

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

Description: Failover Interface

MAC address ecbd.1dfe.5ad3, MTU 1500

Interface Management1/1 "", is up, line protocol is up

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

MAC address ecbd.1dfe.5acb, MTU not set

Interface Port-channel1 "FAILOVER", is up, line protocol is up

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

Description: LAN/STATE Failover Interface

MAC address ecbd.1dfe.5ad2, MTU 1500

Deepak Kumar · ‎10-15-2019

Hi,

seems to be correct. And can MTU/speed influence the throughput when the firepower is enabled? Because when firepower is disabled, everything works fine.

The Firepower is not doing special with MTU but it is tshoot face so we have to lookout all available possibility. Please look into the access control policy, IPS etc.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Marius Gunnerud · ‎10-15-2019

since the issue goes away when in monitoring mode, this is most likely related to either traffic inspection or perhaps even logging. How many ACP entries do you have and how many have enabled logging? We previously had a 5585 with firepower module which from time to time would grind to a halt. With the help of TAC we found that it was the amount of logs being generated that was causing the issue. Since the Firepower really like to create logs there was more processing power used to handle logging. That combined with processing of normal traffic cause the slowness issues we had.

--
Please remember to select a correct answer and rate helpful posts

peter.matuska1 · ‎10-15-2019

Hi Marius, the current policy is like this:

Marius Gunnerud · ‎10-15-2019

Those are the only two rules you have enabled? is it the monitor rule that when you configure it to "inspect" it slows down or when you redirect traffic from ASA to FPR? If the slowness occurs after you redirect traffic from ASA to FPR I would suggest opening a TAC case on this, as the issue might be related to how the ASA and FPR handoff traffic to eachothe on the backplane.

--
Please remember to select a correct answer and rate helpful posts

peter.matuska1 · ‎10-18-2019

I upgraded from 6.0.0-1005 to 6.4.0.4-34 and now it works as expected. The only problem I have is that the speed with IPS set to security over connectivity is 600M. Testing on speedtest.net. I believe that this is not a speed that the firepower can handle. Or not all traffic during the testing is tested? I will ask customer to confirm it once again.

Rob Ingram · ‎10-18-2019

Hi,
The ASA 55058-X would not handle 600Mb with Base + Threat (IPS) features enabled. The new Firepower FPR1120 would support that throughput (according to the Firepower Performance Estimator Tool).

HTH

peter.matuska1 · ‎10-18-2019

well, thats what I think as well. I know that IPS works because I saw 1 IP blocked by IPS (their email server). Well, I will see on Monday. thank you all for help