Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
27808
Views
16
Helpful
39
Replies

Firepower deployments really slow

ncowger
Level 1
Level 1

‎08-14-2017 06:38 PM - edited ‎03-12-2019 06:29 AM

I have new pair of NGFW 2110's.  I have a virtual FPMC.  This is a new build with relatively few rules (10) and NAT statements (14).  If I make a simple change to the policy and deploy it, it seems to take a really long time.  I'm regularly seeing 7+ minutes.  Is this normal?  Why?     

17 people had this problem
Labels:
Preview file
19 KB
Preview file
28 KB
0 Helpful
39 Replies 39

mikael.lahtela
Level 4
Level 4
In response to workforcesoftware

‎01-19-2018 09:15 AM

Hi everyone,

 

I'm working with many different deployments and I would say 8 minutes with FMCv and HA pair 2110 is normal.

There is a big difference on a empty box, stand alone or ha pair. ranging from 2 minutes to 10 minutes.

I believe Cisco will be doing something about this in coming releases.

 

br, Micke

0 Helpful

adammckay1
Level 1
Level 1
In response to mikael.lahtela

‎01-22-2018 12:08 AM - edited ‎01-22-2018 12:15 AM

It's the same for me on a physical FPMC 1000 with around 15 rules and some very basic NAT & HA configuration, for a single FPR2110 pair - somewhere between 5-7 minutes per deploy even with a single change. I wouldn't say this is a FMCv-specific issue at all and from the horses mouth I was told this was "normal".

 

It's frustrating because under some circumstances traffic may be dropped during a deploy (the circumstances where this can happen are vague and the documentation has conflicting information with the on-box help, which has information that conflicts with other on-box help I just double-checked and it looks like the documentation has been updated to be clearer). We're scheduling any policy change for after-hours as a result, even if it's a single access policy item addition or removal.

workforcesoftware
Level 1
Level 1
In response to adammckay1

‎01-23-2018 06:59 AM

Yeah, I've also heard this is normal from several resources within Cisco. The issue of traffic dropping on deployment is the biggest issue I have with the new system. Gone are the days of making changes during production hours, with little to no impact on the end-user. That was the one thing I loved the most about the ASAs, especially at our headquarters.
0 Helpful

c.flavell
Level 1
Level 1
In response to workforcesoftware

‎08-18-2018 02:03 AM

I have a ASA5506 converted to FTD (6.2.3.4-42) and using FDM (the local manager) and even that is slow. A simple change to the BVI address on a empty firewall takes minutes. Either the deployment manager is trying to connect to some external server or the deployment is on a clock cycle so only checks for work every x seconds but it is unacceptable. Interestingly even show network from the console CLI takes a few seconds to respond. It also takes quite a while after boot for the https server to become available.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to c.flavell

‎03-15-2019 09:01 PM

6.3 has improved deployment times significantly (~2x better). Unfortunately the ASA 5506-X and 5512-X are not eligible for 6.3 upgrades.

0 Helpful

elcommunication
Level 1
Level 1

‎06-11-2018 12:22 PM

I'm new into the ASA firepower stuff and I think the deployment times are really slow up to 5 minutes. I'm getting gray hair before they're done. And if I deploy a change on a live environment and figure out the rule breaks connectivity for my users it takes at least 5 minutes to revert the changes

0 Helpful

Nikolaj Pabst
Level 5
Level 5
In response to elcommunication

‎06-18-2018 01:33 AM

Hi,

Are you running 6.2.3.X and is it a cluster?

In general 6.2.3 are MUCH faster than previous releases, and will give you a much better experience.

0 Helpful

elcommunication
Level 1
Level 1
In response to Nikolaj Pabst

‎06-18-2018 07:42 AM

I'm running  6.2.3.1 but it's not a cluster.

0 Helpful

Nikolaj Pabst
Level 5
Level 5
In response to elcommunication

‎06-19-2018 03:48 AM

How are the hardware on the VM?

0 Helpful

elcommunication
Level 1
Level 1
In response to Nikolaj Pabst

‎06-19-2018 03:52 AM

It's the default on the VM. 4 core and 8GB ram. And the actual host has dual six core amd opteron 2435 with very low load

 

0 Helpful

Nikolaj Pabst
Level 5
Level 5
In response to elcommunication

‎06-19-2018 03:55 AM

Try boosting it to 32GB Memory - it should be treated as a database server :-)

I guess you will get a huge performance boost.

0 Helpful

elcommunication
Level 1
Level 1
In response to Nikolaj Pabst

‎06-19-2018 08:00 AM

Doubled the ram to 16GB. Still a 7 minute deploy-time on a simple ACL line change.

 

But before I rebooted it used about 7.2 of 8GB RAM and now with 16GB about the same

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Nikolaj Pabst

‎06-19-2018 10:56 AM

The slow deployments are primarily due to architectural limitations of the underlying database design - not the resources on either the FMC or managed device.

 

Cisco has been working on improving this but it's not there just yet.

0 Helpful

shaun.stull1
Level 1
Level 1

‎08-30-2018 12:46 PM

I've got a pair of 2110's running in HA and rarely see a deployment that finishes in less than 7 minutes.  I am told by Cisco that this is the way it is and improvements are coming in the next release.  I heard the same thing prior to upgrading to 6.2.3 as well and didn't see much if any improvement... 

robinson
Level 4
Level 4
In response to shaun.stull1

‎03-15-2019 08:18 PM

Any updates here? I'm inheriting a 2110 with an FMCv, simple changes take 7 minutes. It's 3/2019, there has to be fix by now? One ACL take 7 minutes? That's just crazy.

The secret to succeeding at technology is to say yes you can, and to not be afraid of change. Forget the words, "That's how we always do it"
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card