Solved: What is "Maximum Concurrent Sessions" in Cisco ASA 5585-X SSP-10 w/ FirePOWER Services?

Arie -- · ‎08-28-2016

Hi,

I'm new with Cisco ASA and FirePower. From the datasheet provided by Cisco.com, there is said that maximum concurrent sessions in Cisco ASA 5585-X SSP-10 w/ FirePOWER Services is 500,000. What does the maximum concurrent sessions mean? And how to do check the concurrent sessions in Cisco ASA?

Thank you

Arie

Marvin Rhoads · ‎08-28-2016

Actually it's 1,000,000 concurrent connections

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-730903.html

As a stateful firewall, the ASA series keeps track of open TCP connections (and UDP flows). that way it can allow return traffic associated with those connections back in through the firewall.

The command "show connections" will show you all of those, with the first line being the total current count and the highest count observed (since last boot):

asa-5512# sh conn | i use
279 in use, 2265 most used

View solution in original post

Marvin Rhoads · ‎08-28-2016

Actually it's 1,000,000 concurrent connections

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-730903.html

As a stateful firewall, the ASA series keeps track of open TCP connections (and UDP flows). that way it can allow return traffic associated with those connections back in through the firewall.

The command "show connections" will show you all of those, with the first line being the total current count and the highest count observed (since last boot):

asa-5512# sh conn | i use
279 in use, 2265 most used

Arie -- · ‎08-28-2016

Hi,

What is term of 'stateful firewall'?

The 1,000,000 concurrent connections is for ASA firewall, isn't it?

For Firepower Module, why does the concurrent connections only 500,000 for Cisco ASA 5585-X
SSP-10 w/ FirePOWER Services?

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

Thank you

Arie

Marvin Rhoads · ‎08-29-2016

Ari,

Wikipedia has a good definition and explanation of stateful firewall:

https://en.wikipedia.org/wiki/Stateful_firewall

You're right - the FirePOWER module (F10 version) in the ASA 5585X does limit you to 500,000 concurrent connections.

We are increasingly steering customer to the more scalable (and less expensive) FirePOWER 4100 series for high end requirements. The "entry level" FirePOWER 4110 supports 4.5 million concurrent sessions at about half the price of an ASA 5585-X.

Arie -- · ‎08-29-2016

Hi Marvin,

So, with the FirePower module in the ASA 5585X does limit to 500,000 concurrent connections, then we can't reach the maximum of 1,000,000 concurrent connections in the Cisco ASA?

Does the maximum concurrent connections in FirePower module and in the Cisco ASA treated differently or same?

Thank you

Arie

Marvin Rhoads · ‎08-29-2016

They are different.

Whether or not they are effectively the same depends on whether your service-policy sends all ASA traffic through the FirePOWER module.

You may choose to only inspect a subset of your traffic with the FirePOWER module. In that case, you can still reach a higher concurrent connection limit with the base ASA.

You could also have multiple contexts on an ASA 5585 - some using the FirePOWER module and others not.

Arie -- · ‎08-30-2016

Hi Marvin,

Thank you for your answer. Appreciate it.

Arie