Throughput across ASA

jvardhan29 · ‎12-03-2011

Hi experts ,

i have couple of ques on the ASA Firewall performance parameters.

a) There are some of the statistics mentioned below (highlighted in red ) from the output of "show interface " . can you please let me know what exactly does that mean and if it has anything to do with the performance degradation .Sometimes i see 255 and sometimes 0 in the brackets , what is the meaning of same ?

input queue (curr/max packets): hardware (4/13) software (0/0)

output queue (curr/max packets): hardware (0/2) software (0/0)

b) a snippet of " show traffic "

------------------ show traffic ------------------

outside:
        received (in 399900.042 secs):
                52447779340 packets     15890851465604 bytes
                131001 pkts/sec 39737005 bytes/sec
        transmitted (in 399900.042 secs):
                65563685590 packets     65534384569419 bytes
                163005 pkts/sec 163876000 bytes/sec
      1 minute input rate 6940 pkts/sec, 1808346 bytes/sec
      1 minute output rate 9437 pkts/sec, 10312871 bytes/sec
      1 minute drop rate, 34 pkts/sec
      5 minute input rate 6455 pkts/sec, 1635870 bytes/sec
      5 minute output rate 8578 pkts/sec, 9230665 bytes/sec
      5 minute drop rate, 32 pkts/sec
inside:
        received (in 399900.032 secs):
                71479465229 packets     67398228971523 bytes
                178002 pkts/sec 168537006 bytes/sec
        transmitted (in 399900.032 secs):
                70735709822 packets     25274565069488 bytes
                176002 pkts/sec 63202004 bytes/sec
      1 minute input rate 11815 pkts/sec, 12005507 bytes/sec
      1 minute output rate 9794 pkts/sec, 2774491 bytes/sec
      1 minute drop rate, 14 pkts/sec
      5 minute input rate 10206 pkts/sec, 9952420 bytes/sec
      5 minute output rate 8753 pkts/sec, 2568203 bytes/sec
      5 minute drop rate, 14 pkts/sec

Whats the difference between the above and the below ??

----------------------------------------
Aggregated Traffic on Physical Interface
----------------------------------------
GigabitEthernet0/0:
        received (in 945515.992 secs):
                138576555672 packets    44491901654282 bytes
                146003 pkts/sec 47055002 bytes/sec
        transmitted (in 945515.992 secs):
                177437847061 packets    187740725861881 bytes
                187003 pkts/sec 198559003 bytes/sec
      1 minute input rate 6940 pkts/sec, 1949495 bytes/sec
      1 minute output rate 9437 pkts/sec, 10486905 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 6455 pkts/sec, 1765085 bytes/sec
      5 minute output rate 8578 pkts/sec, 9388424 bytes/sec
      5 minute drop rate, 0 pkts/sec
GigabitEthernet0/1:
        received (in 945516.012 secs):
                197244220234 packets    195418264105665 bytes
                208001 pkts/sec 206678004 bytes/sec
        transmitted (in 945516.012 secs):
                185979557085 packets    70894303143811 bytes
                196001 pkts/sec 74979002 bytes/sec
      1 minute input rate 11815 pkts/sec, 12223190 bytes/sec
      1 minute output rate 9794 pkts/sec, 2966949 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 10206 pkts/sec, 10140298 bytes/sec
      5 minute output rate 8753 pkts/sec, 2739954 bytes/sec
      5 minute drop rate, 0 pkts/sec

a) While calculating the throughput to see if the traffic is exceeding or coming closer to what is mentioned in datasheet do i need to take
5 minute input rate or 1 minute input rate into consideration ??

b) As mentioned in the below document , we need to take "Aggregated Traffic on Physical Interface" into consideration , is there any reason for the same ?

https://supportforums.cisco.com/docs/DOC-12439

c) as the packet per second plays an important role while calculating throughput , how do we know what is the size of the packet ?? i mean , i think that what we calculate is the avg packet size as we cannot differentiate among packets when they hit the interface as we donot know as to which flow they belong to ?? is my understanding right ?

eg: if there are 6000 pps on an interface for that instance , it might happen that out of these 1000 are large packets and 5000 are small packets (say 64 bytes)

Jayesh

Kureli Sankar · ‎12-08-2011

Allow me some time. I will look at this for you.

-Kureli

secureIT · ‎09-23-2016

Hi Kureli Sankar,

This post is quite interesting, can you post your opinion pls.

whether to see both Rx + Tx or Rx or Tx - followed by multiplying by Avg UDP pkt 1500 required or not. Pls reply.

Julio Carvajal · ‎12-09-2011

Hello Jayesh and Kureli,

Long time ago I had a case where the customer was having some performance issues and we got into the conclusion the ASA was being oversubscripted.

To answer to the second part of your questions (b)

A and b) I calculated the througtput of the security appliance by taking the bytes/seconds transmitted and received on the Aggregated Traffic on Physical Interface.

For example in your case would be like this:

GigabitEthernet0/0: 47055002 bytes/sec + 198559003 bytes/sec = 245614005 bytes/second

GigabitEthernet0/1: 206678004 bytes/sec + 74979002 bytes/sec = 281657006 bytes/second

Both of them: 527271011 bytes/second

Then you will need to convert that to Mbp/seconds for that you will need to partition that into 1024 to get the kbps and then the result into 1024 again to get the Mbps in your case would be : 502.8444 mbps

C) The ASA will see all the packets the same way (regardless of the size) so you just have to do the calculation with the amount of packets received and transmited on the Aggregated Traffic on Physical Interface.

Hope this helps you

Please rate helpful posts.

Julio!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jvardhan29 · ‎12-11-2011

thanks kureli ! will wait for your views on this

Hi julio,

as per your below example , you have added transmitting and receiving bytes/ sec , but i doubt if it is true , i think that we need to just add either the receiving or the trasmitting bytes / sec for all the interfaces to calculate throughput and not both .

GigabitEthernet0/0: 47055002 bytes/sec + 198559003 bytes/sec = 245614005 bytes/second

GigabitEthernet0/1: 206678004 bytes/sec + 74979002 bytes/sec = 281657006 bytes/second

Also , i dont agree that the size of the packet doesnot matter . smaller size packets are known to create performance issues across the firewall

so my questions mentioned above remain unanswered as i am looking for some clear explantion on it.

Jayesh

Julio Carvajal · ‎12-11-2011

Hello,

1- You should focus on both of them, Why just received packets and no the transmitted ones, or backwards, the ASA will handle both of them so you should analize both of them while you are trying to get the actual throughput of your ASA.

2-The ASA receives a packet, if is fragmented (MTU size bigger than the set on the interface) will placed in a different buffer until the whole packet is received and reasembled, then will be inspected and the ASA, transmited again fragmented, other packets thant the fragmented ones, will be placed on the queue with the rest of the packets no matter what size the packet has, unless you have configured Qos on the firewall ( Priority = Low Latency Queue)

I have worked on cases like this with my customers but sure this is a open forum if you do not trust my answer you can wait for another one.

Have a great Sunday.

Julio!!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

germain85 · ‎12-12-2011

Hello Julio,

i agree with you concerning the throughput. you should take in account the receive and the transmit, since the ASA handle both at the same time.

Tks

Julio Carvajal · ‎12-12-2011

Hello Germain,

Thanks for the comment, in order to calculate the througthput we will need to analize both of them because the ASA will do the same thing when it runs its alghoritm, he will focus on both incoming and outgoing traffic.

Tks.

Julio!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jvardhan29 · ‎12-18-2011

hi experts / kureli

still looking for some more views on this from your end

Thanks

Jayesh