cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1072
Views
0
Helpful
10
Replies

ASA5505 Performance issue

Hello All,

 

Last two days I have the following issue - every morning there is no connection to ASA5505 and it drops the internet.

My infrastructure is a bit strange - I have ASA5505 which is routing the network, there is no router behind it.

The questions are;

1. Can i use only one ASA5505 without router behind it? I have about 50 PC. Does this slow down performance of ASSA?

2. How can i check what is actually happening behind that problem (logs or something like that)

Thank you.

10 Replies 10

Julio E. Moisa
VIP Mentor VIP Mentor
VIP Mentor

Hi

Yes the 5505 should support 50 PC, you dont need other layer 3 device because it can do that.

Now about the problem, you could verify first the cabling or request assistance from the ISP to verify its device. You can enable the logs on the ASA to verify what is happening. 

Also you can make ping (at least 1000 or + pings) to public IP address from the ASA to check connectivity. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

I have talked with ISP but they tell - the problem is by your side. I just need to be sure that ASA is not freezing or stuck or something like that at night.

What IOS version is using the ASA, you could request an upgrade and check the CPU utilization. Show cpu usage




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Seb Rupik
VIP Advisor VIP Advisor
VIP Advisor

Hi there,

Depending on the number of VLANs you have the ASA 5505 should be up to the task of firewalling and inter-VLAN routing. For 50 devices this shouldn't be problem.

 

What license do you have installed on it? The base license only permits 10 concurrent users on the 'inside'!

 

cheers,

Seb.

What does this mean - to have 10 users inside?  I have base license of ASA. My plan is to have about 200 IPs under the ASA, should i buy a router then? 

 

If you have a base license, you will find that the outbound connection will probably be working for 10 of them and the other 40 will be reporting that there is no internet connection.

 

From the config guide:

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they
communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside
initiates a connection to the inside. Note that even when the outside initiates a connection
to the inside, outside hosts are not counted towards the limit; only the inside hosts count.
Hosts that initiate traffic between Business and Home are also not counted towards the limit.
The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent
mode, the interface with the lowest number of hosts is counted towards the host limit.
See the show local-host command to view host limits

You will ned to upgrade to either upgrade to the 50 user license:

L-ASA5505-10-50=

 

...or to the unliited license:

L-ASA5505-10-UL=

 

 

...It is worth noting that the Security Plus license allows unliited users too:

L-ASA5505-SEC-PL

 

 

cheers,

Seb.

So if i understand you correctly, when 11 PC want to communicate with Internet, only 10 will access it.

If i put a router behind the ASA and then there will be no problem like this, right?

Hi

As Seb mentioned it could have 10 concurrent users, please check this link:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/specs.html




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

If you want to get around it, you will need to make sure the router performs NAT for the inside network. That way the ASA will only see one 'inside' IP address connecting to it.

 

cheers,

Seb.

waltreed
Beginner
Beginner

Keep in mind that the 5505 is pretty old at this point. It can't keep up with modern Internet circuits. The data sheet says 150M SPI, I couldn't get it to pass more than about 50M in "real life." The more you ask it to do, the slower it gets. You may want to consider upgrading.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers