Optimizing Traffic Flow through a 4GE SSM
Currenlty, there is a document available on Cisco.com that outlines how to properly design your ASA to optimize traffic flow when using a 4GE SSM:
https://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5550/quick/guide/thru_n.html
To make the correct choice when deciding if a new link added to the firewall will plug into an onboard port versus an offboard port (on the 4GE SSM), one must understand how much traffic each interface is expected to process. Once the two interfaces with the highest data rate have been determined, one link should be connected to an onboard ASA port and the other on a 4GE SSM port. This will optimize the traffic by spreading the traffic processing load across both internal buses.
Design Considerations
The hardware design recommendation outlined in the above guide is best used with the two highest utilization interfaces on the ASA. Then putting one onboard and one on the 4GE SSM is appropriate, as it maximizes the utilization.
There are certain conditions where your network will require more than two high utilization interfaces. Before allocating this third interface, an understanding of the functionality of the 4GE SSM is required. Since the ASA process switches all traffic, any packet that arrives to a port on the 4GE SSM must be passed to the CPU on the ASA itself. To get traffic from the 4GE SSM port to the CPU, the traffic must traverse the internal GigabitEthernet port. This internal GigabitEthernet port may pose a potential bottle neck. To avoid this problem, we would want to allocate any additional high utilization ports to the onboard NICs.
For example, lets say a design requires two interfaces: inside and outside. These interfaces would be placed with the inside onboard (GigabitEthernet0/0) and outside on the 4GE SSM (GigabitEthernet1/0).
Now the network requires a DMZ interface, which will pass just as much traffic as the inside interface. It would be best to place this DMZ interface on the onboard NIC (Gigabit0/1).
The DMZ interface should be placed onboard to avoid hitting a bandwidth limitation on the single internal connection. Being aware of this hardware design will avoid unexpected performance issues.
4GE SSM Card hardware outline
Each port in the 4GE SSM card is a GigabitEthernet link. But aggregated across the backplane is a single GigabitEthernet connection to the ASA. These interfaces can be viewed by issuing the command "show interface detail":
Interface Internal-Data0/0 "", is up, line protocol is up
Hardware is i82547GI rev00, BW 1000 Mbps, DLY 10 usec
(Full-duplex), (1000 Mbps)
MAC address 0000.0001.0002, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops, 0 demux drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Control Point Interface States:
Interface number is 7
Interface config status is active
Interface state is active
Interface Internal-Data1/0 "", is up, line protocol is up
Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec
(Full-duplex), (1000 Mbps)
Media-type configured as RJ45 connector
MAC address 0000.0003.0002, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Control Point Interface States:
Interface number is 12
Interface config status is active
Interface state is active
Internal-Data0/0 is the interface for the ASA itself while Internal-Data1/0 is the link for the 4GE SSM.
Diagnosing 4GE SSM Issues
In some cases, over-subscription of the 4GE-SSM card might cause the ASA to drop packets, which might result in connectivity issues through the ASA. Symptoms of oversubscription are packet drops resulting in retransmissions, and latency.
The easiest way to see oversubscription problems on the 4GE SSM card is to look at the output of show interface detail. In this output, you can view the fields labeled overruns and no buffers. More information can be found in the following document:
https://supportforums.cisco.com/docs/DOC-12439
To diagnose a possible issue with the 4GE being oversubscribed, check to see if the overruns are occurring exclusively on the 4GE ports. Also, sometimes you may see overruns on the Internal-Data0/0 interface. If either of these conditions are hit, you will need to reexamine the amount of traffic passed through the 4GE SSM ports.
As stated above, moving the oversubscribed interfaces from the 4GE SSM card to an onboard NIC is a possible resolution to oversubscription on the 4GE SSM.
Known Bugs Regarding 4GE SSM
CSCtd55121 - 4GE-SSM will not transmit all fragments (Resolved in 8.2.3 and 8.3.2)
CSCte79575 - ASA: TFW sh fail output shows Normal(waiting) when Sec unit is act (Resolved in 7.2.5 and 8.2.3)