Hi, I've a doubt about the maximum concurrent connections in ASA 5585-X with SSP10 CX module, from data sheet it seems that:
-ASA 5585-X --> maximum concurrent connections 1.000.000
-ASA 5585-X CX SSP-10 with 8GE, DES --> maximum concurrent sessions 500.000
BUT, what if I don't send all sessions to CX module??, could I use more than 500.000 concurrent sessions in ASA 5585-X whenever SSP-10 module doesn't exceed 500.000??
Thanks in advance
Sadly I don't remember what was mentioned about this at Cisco Live! 2013 London. I seem to recal that they mentioned that this wouldnt be a problem but as I said I'm not 100% sure on this.
The only thing related to this that I found on Cisco site with a fast look was this in the Q&A section.
Q. How about performance? Will the CX blade slow down my ASA firewall?A. As with any device performing deep packet inspection, performance will be lower than with devices that only route traffic or perform stateful inspection. However, all ASA CX devices will provide gigabit and multigigabit throughput levels. Unlike competitive offerings, which require application control to be continuously active for all the traffic, ASA CX does not create any such restriction. Administrators can determine which traffic will be inspected by ASA CX, and continue to use Layer 3/Layer 4 rules where deep packet inspection is not required. This capability provides the flexibility for servers requiring low-latency performance to be exempted from deep packet inspection and still benefit from ASA stateful inspection. As a result, much more efficient and higher-performance firewalling is possible, compared with only creating application-based rules.
We will be having some people on a course related to this in the next week and I will be seing a Cisco employee about the ASA CX later this month.
Thank you Jouni. Your anwser helps me and It will be very useful for me if you have more information regarding this question.
I made a question last week to people from Cisco, and they confirm that whenever you don't exceed the 500.000 connections in ASA CX module you can have more than 500.000 connections in ASA module.
I'm not totally sure but this was the answer.
I forgot to answer this after the meeting with Cisco.
The answer I got was that if you have a configuration that forwards some certain networks traffic to the ASA CX and the ASA CX connection limit is reached THEN new connections simply wont be passed. There doesnt seem to be any mechanism that would automatically let traffic pass without going to CX if its connection limit is hit.
I was told that basicly to avoid these situations you would have to manually limit the traffic assigned to the ASA CX so that it wouldnt reach its concurrent connection limit.
I am not sure if this will be something that will be changed. To be honest I cant give any answers myself since I'm still waiting for the first ASA CX so I can start playing around with its configurations