08-28-2016 08:29 PM - edited 03-12-2019 01:11 AM
Hi,
I'm new with Cisco ASA and FirePower. From the datasheet provided by Cisco.com, there is said that maximum concurrent sessions in Cisco ASA 5585-X SSP-10 w/ FirePOWER Services is 500,000. What does the maximum concurrent sessions mean? And how to do check the concurrent sessions in Cisco ASA?
Thank you
Arie
Solved! Go to Solution.
08-28-2016 08:40 PM
Actually it's 1,000,000 concurrent connections
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-730903.html
As a stateful firewall, the ASA series keeps track of open TCP connections (and UDP flows). that way it can allow return traffic associated with those connections back in through the firewall.
The command "show connections" will show you all of those, with the first line being the total current count and the highest count observed (since last boot):
asa-5512# sh conn | i use
279 in use, 2265 most used
08-28-2016 08:40 PM
Actually it's 1,000,000 concurrent connections
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-730903.html
As a stateful firewall, the ASA series keeps track of open TCP connections (and UDP flows). that way it can allow return traffic associated with those connections back in through the firewall.
The command "show connections" will show you all of those, with the first line being the total current count and the highest count observed (since last boot):
asa-5512# sh conn | i use
279 in use, 2265 most used
08-28-2016 10:14 PM
Hi,
What is term of 'stateful firewall'?
The 1,000,000 concurrent connections is for ASA firewall, isn't it?
For Firepower Module, why does the concurrent connections only 500,000 for Cisco ASA 5585-X
SSP-10 w/ FirePOWER Services?
Thank you
Arie
08-29-2016 06:04 AM
Ari,
Wikipedia has a good definition and explanation of stateful firewall:
https://en.wikipedia.org/wiki/Stateful_firewall
You're right - the FirePOWER module (F10 version) in the ASA 5585X does limit you to 500,000 concurrent connections.
We are increasingly steering customer to the more scalable (and less expensive) FirePOWER 4100 series for high end requirements. The "entry level" FirePOWER 4110 supports 4.5 million concurrent sessions at about half the price of an ASA 5585-X.
08-29-2016 06:50 PM
Hi Marvin,
So, with the FirePower module in the ASA 5585X does limit to 500,000 concurrent connections, then we can't reach the maximum of 1,000,000 concurrent connections in the Cisco ASA?
Does the maximum concurrent connections in FirePower module and in the Cisco ASA treated differently or same?
Thank you
Arie
08-29-2016 07:40 PM
They are different.
Whether or not they are effectively the same depends on whether your service-policy sends all ASA traffic through the FirePOWER module.
You may choose to only inspect a subset of your traffic with the FirePOWER module. In that case, you can still reach a higher concurrent connection limit with the base ASA.
You could also have multiple contexts on an ASA 5585 - some using the FirePOWER module and others not.
08-30-2016 04:12 AM
Hi Marvin,
Thank you for your answer. Appreciate it.
Arie
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide