Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4010
Views
5
Helpful
3
Replies

Understanding Throughput Numbers on ASA5585-X series

johnnylingo
Level 5
Level 5

‎12-17-2012 12:22 PM - edited ‎03-11-2019 05:38 PM

I'm in the evalation process to upgrade from an ASA5580, which at peak is handling 5 Gbps download and 2 Gbps upload I want to be sure I'm understanding the numbers on the ASA5585-X data sheet correctly. Looking at the ASA5585-S40 for example, these numbers are listed:

StatisticValue
Firewall Througput (Max)20 Gbps
Firewall Througput (Multi-Protocol)10 Gbps
Maximum Firewall Connections4,000,000
Maximum Firewall Connections/Second200,000
Max Packets per second (64-byte)6,000,0000

The "Maximizing Firewall Performance" presentation at Cisco Live also mentioned a "Real-World Throughput" of 12 Gbps, but I'm not sure how they came to this number.

My questions are as follows:

  1. Is "throughput" the combined inbound and outbound traffic? Would a 8 Gbps download and 2 Gbps upload be considered 10 Gbps throughput, or only 8?
  2. What is "Multi-Protocol" and how does that influence the numbers? If the firewall will only pass tcp/80 with no inspection, what is the throughput?
  3. The 5580 platform has a bus limit of 16 Gbps. Does the 5585-X series have any such limit?
Labels:
0 Helpful
3 Replies 3

johnnylingo
Level 5
Level 5

‎12-27-2012 01:09 PM

Anyone?

I understanding the "real world" throughput is based mostly on packet size, but is it a single direction number or combined input and output?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to johnnylingo

‎12-27-2012 01:39 PM

Hi,

Can't really give any specific information myself.

To my understanding the "Multi-Protocol" section should be value to look when comparing a new devices performance to your current or future network throughtput needs. I'd imagine the Max value is the maximum throughtput the device could "push through" in ideal conditions which would lead to believe that it wouldnt be a good value to use.

Then theres ofcourse VPN and IPS which usually have their own section in the max throughput charts.

But as I said, I'm not really the best person to answer about these questions.

Thought I would still link this document/post/blog I ran into today but havent still read it through. And perhaps I should

Maybe it could be of some help while waiting for an answer from someone.

https://supportforums.cisco.com/community/netpro/security/firewall/blog/2011/06/16/revisiting-firewall-performance-parameters

Maybe some other section of these very forums might have people that could give you more specific answer. Sections which have people participating that have to handle these things in everyday work.

- Jouni

johnnylingo
Level 5
Level 5
In response to Jouni Forss

‎12-28-2012 10:49 AM

I've scanned through similar discussions and mostly see chatter that throughput depends on packet size.  Well, duh!   The link states that the 20 Gbps number for the 5585-40 is with Jumbo frames, so that's good to know.  But what I'm really trying to figure out is what the throughput would be for large but non-Jumbo frames, roughly 1200 Bytes.  I would guestimate it in the 12-15 Gbps range, but since a need a firewall speced for 14 Gbps, it's really cutting it close.

I think the only way to get at these numbers is lab environment with packet generator, so I can go that route.  Just seeing if anyone else has done it already.  In a nutshell, I'm trying to fill out charts like this below for the 5585-40.

Packet Size (Bytes)Max PPSThroughput (Gbps)
9000277,77720
1500
1200
512
645,000,0002.56
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card