Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2461
Views
0
Helpful
4
Replies

Firepower throughput issue

Khurram Tariq
Level 1
Level 1

‎02-24-2017 09:10 AM - edited ‎03-12-2019 01:58 AM

Dear All

we are using 5516X firewalls in HA and all the network passed through the firewalls.we have 400 MB link leased line. we have redirect policy for all the traffic to firepower and managing it from Firepower Management center as fail close.now we are having throughput issue for the traffic passes through the firepower. As we are getting around 200 MB speed on the user vlan which is passes through firepower.we have tested removing redirection for the user VLANs and we are getting speed around 370 MB which should be with firepower also. initially we have used Intrusion policy for all over rules i Management center byt we have removed intrusion inspection also and using only AMP and URL filtering but still speed is same.

please let me know what could be the issue or its idea fr the traffic passes through firepower. we have firepower version 6.1.x and management center also the same.

Labels:
0 Helpful
4 Replies 4

Oliver Kaiser
Level 7
Level 7

‎02-25-2017 02:02 AM

ASA 5516-X sizing throughput (AVC or IPS enabled) is 300Mbps. AMP can result in a performance penalty of around 30-50% depending on configuration. When we calculate the throughput using the maximum AVC/IPS performance which is rated at 450Mbps and apply AMP penatly of 50%, 200Mbps sounds like a reasonable result.

You might want to try disabling AMP and testing again. URL Filtering shouldnt have a significant performance hit.

Let me know if that helps.

0 Helpful

Khurram Tariq
Level 1
Level 1
In response to Oliver Kaiser

‎02-25-2017 07:31 AM

Thanks for your suggestions i just double checked 5516X throughput with IPS and AVC is 450 Mbps, we yesterday we had disable IPS from all rules and checked but still speed was around 200, but i will try to disable AMP also as you suggested.

its cutting throughput like 50 % of total bandwidth i don't  think so IPS and AMP can take 50 % of throughput

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Khurram Tariq

‎02-26-2017 06:45 AM

450 Mbps is referenced in the datasheet but depending on the feature set you use and the traffic patterns in your network this numbers wont hold up.

The 300Mbps I mentioned are from a 2016 Cisco Live session:

The performance impact of AMP is real. The numbers are from a sizing guide for firepower.

Preview file
139 KB
0 Helpful

Khurram Tariq
Level 1
Level 1
In response to Oliver Kaiser

‎03-07-2017 04:08 AM

hey kaisero can you send me the link of the comparison sheet ??

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card