Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1657
Views
5
Helpful
5
Replies

"Real Life" ASA Throughout comparison?

matty-boy
Level 1
Level 1

‎02-28-2013 12:57 AM - edited ‎03-11-2019 06:07 PM

Hi,

I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - http://www.anticisco.ru/pubs/ISR_G2_Perfomance.pdf).

The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.

When I swapped out the firewall the users noticed a big improvement!?!?!

The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard stateful inspection.

Any ideas?

Many thanks in advance,

Matt.

Labels:
0 Helpful
5 Replies 5

Rudy Sanjoko
Level 4
Level 4

‎02-28-2013 02:05 AM

I've tried to search as well couple months ago but no luck, Cisco do have info on their website about the ASA throughput using multiprotocol/real world HTTP but it is only for 5580 series and the ASA X series. Multiprotocol = Traffic profile consisting  primarily of TCP-based protocols/applications like HTTP, SMTP, FTP,  IMAPv4, BitTorrent, and DNS.

On below link you can compare all the ASA models, you can see the difference in performance between 5505 and 5520.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~tab-a,

0 Helpful

James Leinweber
Level 4
Level 4
In response to Rudy Sanjoko

‎02-28-2013 02:40 PM

Dunno about comparisons between models, but my Cisco 5520's running 8.2 firmware in a test lab do about 620 Mbit/s between local interfaces, and 320 Mbit/s across an IPSEC tunnel using AES-128 & SHA1.   Those might be your "not to be exceeded" upper bounds; it's a little beyond what Cisco promises, and I presume the results will degrade under high load or in the face of complex configurations.  So I'm going to have to upgrade our hardware from 5520 to 5525-X to take full advantage of upgrading our fiber links from 100 Mbit/s to 1 Gbit/s.  Moving to version 9 firmware along the way is requiring some configuration R&D.

-- Jim Leinweber, WI state lab of Hygiene

0 Helpful

Patrick0711
Level 3
Level 3

‎02-28-2013 06:17 PM

There is no definitive answer to this.  Your explanation of the scenario is so vague that it makes it impossible to determine anything.  What is "real life" if we don't know the device's purpose?

The ASA (the first generation line) will almost always be more burdened more by the number of connections/second and the rate of incomming packets than the bottom-line throughput numbers.  I rarely see cases where the sheer volume of of traffic is the limiting factor.

You fail to mention what type of traffic traverses your firewall.  HTTP, SMB, and NFS are examples of very chatty application-layer protocols that require the ASA to rapidly perform fastpath functions that maintain the state of a given TCP connection.  HTTP intensive environments may also introduce several thousand new tcp connections per second which is computationally expensive since the ASA must perform various checks for each new connection in the session management path. 

You should have evaluated what your limiting factor was before you upgraded.  The "shoot first, ask questions later" mentality is not the correct way to address situations like this IMO.

matty-boy
Level 1
Level 1
In response to Patrick0711

‎03-01-2013 12:03 AM

Thanks for the input guys.

Patrick - The intension was always to have the 5520 in place, the 5505 was a temporary measure while we waited for the 5520 hardware to arrive, not a blind attempt to try and fix a problem.

The site in question is a remote spoke site with up to around 40 concurrent windows users. The site has NO local servers/services at site apart from a web proxy which also does the external DNS.

Web traffic breaks out locally via the proxy and traverses the routed firewall and out to the single 10meg Internet circuit. All internal traffic destined for the hub site goes thru the firewall and down the IPSEC tunnel (which is landed on a router, not the firewall) out of the 10meg Internet circuit and over to the hub site. The hub site has the DCs, internal DNS, Exchange, Application servers, file servers, etc, etc.

Please note - the overall design was not mine. I'm just implementing it and was surprised that there was a perceived increase in throughput by the users when the FW was replaced. I was however only cosidering the max throughput figure and not other things like connections per seconds (I'm pretty new to the security/firewall side of things).

Cheers,

Matt.

0 Helpful

Zill Ahmed Chaudhry
Level 1
Level 1

‎03-01-2013 06:14 AM

The reason why your clients received huge performance boost is not only because of Internet connection
But also there is a lot of internal communication between the different zones of firewall as well like constant chat with active directory , constant chats with SQL servers , internal dns traffic etc etc .
Moreover these packets has to be processed by the CPU of firewall which in case of 5505 is small.

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card