Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1068
Views
0
Helpful
4
Replies

Is our ASA5506X underpowered for FirePower?

BE_IT
Level 1
Level 1

‎11-14-2018 08:45 PM - edited ‎02-21-2020 08:28 AM

We have an Active/Standby configuration with 2 ASA5506X's with ASA version 9.6(4)17 and ASDM Version 7.6(1).  We have stopped subscribing to Firepower because every once in a while, Firepower basically brings the throughput of the network into single digit kbps.  After a few interactions with TAC, they turn off Firepower and things come back to normal.  So I decided not to continue with the subscription since it does that.  I've been hearing rumors from various "experts" who have been telling us that we were doomed from the beginning by buying the Firepower services with the the ASA's - that they were never powerful enough to host Firepower.   As far as I know, they are regular ol' ASA5506X's with 8GB or RAM.  Would a RAM upgrade help?  Can I even do that?  Should I move on to some other firewall solution?  We are a small company and the ASA5506X's were reasonably priced.  I looked into the ASA5508X and for some reason the initial licensing for Firepower and SMARTnet on that device is more expensive than the device itself!  

 

Any tips?

0 Helpful
4 Replies 4

johnd2310
Level 8
Level 8

‎11-14-2018 09:17 PM

Hi,

How much traffic are you sending through the ASA and what features are you using on the firepower?

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

BE_IT
Level 1
Level 1
In response to johnd2310

‎11-14-2018 10:36 PM

Hello John.  We typically see 40-50 Mbps traffic being pushed through the firewall based upon the little graphs on the ASDM home page.  To be honest, we only had a fresh install of Firepower.  We were never able to even get to the monitoring screens because it wasn't fully set up right.  So whatever the default installation had for IDS, IPS and content filtering, but as I said, we never got to set up any filtering.

0 Helpful

johnd2310
Level 8
Level 8
In response to BE_IT

‎11-15-2018 03:08 PM

Hi,

 

I think  you should look at getting the firepower module configured correctly. Once you have the module configured and working, you can run the firepower in monitor mode where it has a view of the traffic but does not impact throughput. Once you under stand the traffic flowing through  the  asa, you can slowly build your rules.

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-15-2018 03:23 AM

ASA 5506 with Firepower has been a bit of a stretch on the device's capabilities. It works but it's no speed demon. 40-50 Mbps is at the edge of it's upper limit if you're pushing all traffic to the Firepower module for inspection.

 

If you look at the release notes for ASA 9.10(1) you will note that Cisco will no longer support Firepower on the 4 GB models such as ASA 5506-X as of that new release.

 

Unfortunately you cannot upgrade the RAM on these devices.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card