Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1404
Views
0
Helpful
3
Replies

Cisco ASA firepower

cisco8887
Level 2
Level 2

‎01-12-2016 01:27 AM - edited ‎03-10-2019 06:32 AM

Hi Guys,

I have looked at the link below to try and understand how firepower impacts throghput and have put the following chart together.

I then had a call with Cisco TAC,  and he mentioned the bandwidth is halfed when URL service is enabled and further halfed when AMP is enabled.

This is not on cisco website. Can anyone confirm and give an opinion on this?

how the Max throughput is achieved. Is it per connection regardless of load or under maximum load/maximum connections?  If per connection, can one assume a 5506 would give a significantly higher throughput than 23Mbps if few users are passing traffic through the ASA and all firepower functionalities are enabled ?

Model\Feature

Maximum Performance without Firepower(Mbps)

Maximum AVC Throughput(Mbps)

Maximum AVC+IPS Throughput(Mbps)

Maximum AVC + IPS + AMP Throughput(Mbps)

Maximum AVC + IPS+ AMP + URL Filtering Throughput(Mbps)

Maximum VPN Throughput(Mpbs)

5506

300

250

125

45

23

100

5508

500

450

250

90

45

175

5512

500

300

150

50

25

200

5515

600

500

250

75

38

250

5516

900

850

450

150

75

250

5525

1024

1100*

650

188

94

300

5545

1536

1500

1000

288

144

400

5555

2048

1750

1250

363

182

700

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-13-2016 12:39 AM

Throughput is often measured using an IMIX profile.

https://en.wikipedia.org/wiki/Internet_Mix

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-13-2016 05:54 AM

Your exact numbers are off a bit but the overall idea that URL filtering and especially AMP will reduce firewall throughput is correct.

Because there are so many variables that go into a given unit's throughput, Cisco does not publish all of the various scenario numbers publicly. Your Cisco or partner SE can discuss with you in detail considering your use case and size the appliance appropriately based on that.

The testing methodology does generally assume a large number of flows, as per the IMIX profile that Philip mentioned.

0 Helpful

Robert Zeff
Level 1
Level 1

‎07-09-2016 07:03 PM

I assume using an IMIX profile would return throughput less than a speedtest, for example.

We have an ASA5515.  Without Firepower, we get about 900 mbps to a decent speedtest site.

We are blocking Torrents, Malware, but no IDS.  We are getting 300 mbps down/220 up.

Latency jumps to 200-300ms during the test, from a second client.  Jitter is huge, listening to audio and doing a VoIP call seem unaffected during the test.

We are going to have to go to a ASA 5555 I fear.  We have two of the ASA 5515-X, so we might try clustering first.

-Robert

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card