cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1623
Views
0
Helpful
7
Replies

Throughput Issue on Firepower 2140 with ASA.

rp675p
Level 1
Level 1

Hi,

I have been facing throughput issue for a while now and do not know the root cause.

So the firewall is in between 2 Alcatel routers (say A and B). A is sending 5Gig traffic to the firewall but on the port-channel stats, I only see 1Gig. 

We have tried everything, cleaning the SFPs, replacing the fiber cables, placed an annue(packet capturing device) directly in between A and firewall. The Annue device clearly shows it sending 5gig. 

 

Whatever the ASA is receiving on the port-channel is being sent out to device B. 

There is no Qos configs, we are using MMF(distance is less than 300m), bandwidth is 1000MBPS.

No collisions, packet errors seen on the interface.

There are no alrams, environment details looks good. 

What else am I missing?

Can someone kindly help me out here as this is a high-level project and they have given commitment to the customers that 5gig traffic would be delivered. 

 

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

So an ASA image on Firepower 2140 is assigned interfaces via the appliance management (either Firepower Chassis Manager or fxos cli). Can you share confirmation that the assigned interfaces are 10 Gbps ones and are set to 10 Gbps speed? If they are, then the ASA interface bandwidth should be 10000 Mbps, not 1000 Mbps.

Hi Marvin,

Thank you for responding back. Oh yeah, my bad, missed out on an zero there. Yes the speed is set to 10gbps on fxos cli.

FXOS CLI Interface config:

enter port-channel 2
enable
enter member-port 1 15
enable
exit
enter member-port 1 16
enable
exit
set auto-negotiation no
set descr ""
set duplex fullduplex
set flow-control-policy default
set lacp-policy-name default
set port-channel-mode active
set port-type data
set speed 10gbps

 

ASA Interface config and stats:

sh running-config interface port-channel 2
!
interface Port-channel2
description 10 GigE PortChannel 2 to BB5
nameif LAB
security-level 100
ip address x standby x
ipv6 address x standby x

 

Stats:

/act/pri# sh interface port-channel 2
Interface Port-channel2 "LAB", is up, line protocol is up
Hardware is EtherSVI, BW 20000 Mbps, DLY 1000 usec
Description: 10 GigE PortChannel 2 to BB5 LAG-14
MAC address 2cf8.9bd1.abaf, MTU 9198
IP address 144.60.117.68, subnet mask 255.255.255.248

Marvin Rhoads
Hall of Fame
Hall of Fame

So your stats outputs says "BW 20000 Mbps" which is 20 Gbps. That would be correct for 2 x 10 Gbps physical interfaces in a portchannel. Where is is that you say you see only 1000 Mbps?

In the interface statistics. 
FPWR-PLANTXHSASA01/act/pri# sh interface port-channel 2
Interface Port-channel2 "LAB", is up, line protocol is up
Hardware is EtherSVI, BW 20000 Mbps, DLY 1000 usec
Description: 10 GigE PortChannel 2 to BB5 LAG-14
MAC address 2cf8.9bd1.abaf, MTU 9198
IP address x.xx.x., subnet mask 255.255.255.248
Traffic Statistics for "LAB":
69490897692 packets input, 92379956086024 bytes
10289625793 packets output, 12348727574261 bytes
24781658 packets dropped
1 minute input rate 33042 pkts/sec, 43822818 bytes/sec
1 minute output rate 4916 pkts/sec, 5941065 bytes/sec
1 minute drop rate, 15 pkts/sec
5 minute input rate 33303 pkts/sec, 43859663 bytes/sec
5 minute output rate 5789 pkts/sec, 7169674 bytes/sec
5 minute drop rate, 16 pkts/sec

 

Traffic isnt running now hence the speed is 350Mbps. But it showed over just 1Gbps when the user had initiated the speed test. They could see 5 gig sending out right before the ASA.

The overall firewall interface sped and configuration seem to be correct.

Speed for a given flow from one user is not the same as speed of aggregate traffic through the firewall.

Without knowing the end to end setup and test conditions it's impossible to say whether the ASA is in any way constraining the throughput.

 

vijay-rao
Level 1
Level 1

I am also facing the same issue.

0-02-08-da9fd5533dc1d21a0c57a892e9c8f87160afb2ff2cbe9a9cc859b097105a1e56_d29515a4967cece8.jpg

vijay-rao
Level 1
Level 1

All devices are cisco, packet generator tester is IXIA.

Review Cisco Networking for a $25 gift card