10-15-2019 06:44 AM
Hi,
customer has this ASA witch firepower enabled he complained that the internet speed is 40/90Mbps. When I setup the firepower to monitor-only, the speed was correct - 600/600Mbps. The access policy has only permit traffic configured (IPS disabled). Do you know the speed which can be handled by 5508? I know that firepower slows it down but 40M on download is too slow.
thank you
10-15-2019 08:47 AM
HI,
Can you check your MTU and Interface settings? I advised setting Interface speed manually with full-duplex.
10-15-2019 09:18 AM
Hi,
seems to be correct. And can MTU/speed influence the throughput when the firepower is enabled? Because when firepower is disabled, everything works fine.
Interface GigabitEthernet1/1 "OUTSIDE-1”, is up, line protocol is up
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
MAC address ecbd.1dfe.5acc, MTU 1500
Interface GigabitEthernet1/2 "OUTSIDE-2”, is up, line protocol is up
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
MAC address ecbd.1dfe.5acd, MTU 1500
Interface GigabitEthernet1/3 "INSIDE", is up, line protocol is up
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
MAC address ecbd.1dfe.5ace, MTU 1500
Interface GigabitEthernet1/4 "", is up, line protocol is up
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
MAC address ecbd.1dfe.5acf, MTU not set
Interface GigabitEthernet1/4.72 "DMZ", is up, line protocol is up
MAC address ecbd.1dfe.5acf, MTU 1500
Interface GigabitEthernet1/4.73 "DMZ-PRIVATE", is up, line protocol is up
MAC address ecbd.1dfe.5acf, MTU 1500
Interface GigabitEthernet1/5 "DMZ-to-XY”Z, is up, line protocol is up
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
MAC address ecbd.1dfe.5ad0, MTU 1500
Interface GigabitEthernet1/6 "", is down, line protocol is down
Auto-Duplex, Auto-Speed
MAC address ecbd.1dfe.5ad1, MTU not set
Interface GigabitEthernet1/7 "", is up, line protocol is up
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Description: Failover Interface
MAC address ecbd.1dfe.5ad2, MTU 1500
Interface GigabitEthernet1/8 "", is up, line protocol is up
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Description: Failover Interface
MAC address ecbd.1dfe.5ad3, MTU 1500
Interface Management1/1 "", is up, line protocol is up
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
MAC address ecbd.1dfe.5acb, MTU not set
Interface Port-channel1 "FAILOVER", is up, line protocol is up
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Description: LAN/STATE Failover Interface
MAC address ecbd.1dfe.5ad2, MTU 1500
10-15-2019 10:58 PM
Hi,
seems to be correct. And can MTU/speed influence the throughput when the firepower is enabled? Because when firepower is disabled, everything works fine.
The Firepower is not doing special with MTU but it is tshoot face so we have to lookout all available possibility. Please look into the access control policy, IPS etc.
10-15-2019 01:19 PM
since the issue goes away when in monitoring mode, this is most likely related to either traffic inspection or perhaps even logging. How many ACP entries do you have and how many have enabled logging? We previously had a 5585 with firepower module which from time to time would grind to a halt. With the help of TAC we found that it was the amount of logs being generated that was causing the issue. Since the Firepower really like to create logs there was more processing power used to handle logging. That combined with processing of normal traffic cause the slowness issues we had.
10-15-2019 01:25 PM
10-15-2019 09:58 PM
Those are the only two rules you have enabled? is it the monitor rule that when you configure it to "inspect" it slows down or when you redirect traffic from ASA to FPR? If the slowness occurs after you redirect traffic from ASA to FPR I would suggest opening a TAC case on this, as the issue might be related to how the ASA and FPR handoff traffic to eachothe on the backplane.
10-18-2019 01:42 AM
I upgraded from 6.0.0-1005 to 6.4.0.4-34 and now it works as expected. The only problem I have is that the speed with IPS set to security over connectivity is 600M. Testing on speedtest.net. I believe that this is not a speed that the firepower can handle. Or not all traffic during the testing is tested? I will ask customer to confirm it once again.
10-18-2019 01:55 AM - edited 10-18-2019 01:58 AM
Hi,
The ASA 55058-X would not handle 600Mb with Base + Threat (IPS) features enabled. The new Firepower FPR1120 would support that throughput (according to the Firepower Performance Estimator Tool).
HTH
10-18-2019 05:32 AM
well, thats what I think as well. I know that IPS works because I saw 1 IP blocked by IPS (their email server). Well, I will see on Monday. thank you all for help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide