FPR 2110 slow IPSEC with ASA

kerstin-534 · ‎07-21-2022

Can somebody help me.

We have changed ASA 5512-X to FPR 2110. There is a IPSEC tunnel running on it.

Here is the throughput with ASA5512-X one parallel flow. This is inbound to ASA5512-X

Encryption Settings below

Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1

Tests below

sh-4.4# iperf3 -c 10.40.0.10
Connecting to host 10.40.0.10, port 5201
[ 5] local 192.168.99.10 port 39686 connected to 10.40.0.10 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 2.15 MBytes 18.0 Mbits/sec 0 110 KBytes
[ 5] 1.00-2.00 sec 17.4 MBytes 146 Mbits/sec 0 899 KBytes
[ 5] 2.00-3.00 sec 71.9 MBytes 603 Mbits/sec 0 2.99 MBytes
[ 5] 3.00-4.00 sec 78.8 MBytes 661 Mbits/sec 12 1.97 MBytes
[ 5] 4.00-5.00 sec 56.2 MBytes 472 Mbits/sec 335 1.52 MBytes
[ 5] 5.00-6.00 sec 66.2 MBytes 556 Mbits/sec 0 1.60 MBytes
[ 5] 6.00-7.00 sec 70.0 MBytes 587 Mbits/sec 0 1.65 MBytes
[ 5] 7.00-8.00 sec 70.0 MBytes 587 Mbits/sec 0 1.69 MBytes
[ 5] 8.00-9.00 sec 71.2 MBytes 598 Mbits/sec 0 1.72 MBytes
[ 5] 9.00-10.00 sec 68.8 MBytes 577 Mbits/sec 0 1.73 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 573 MBytes 480 Mbits/sec 347 sender
[ 5] 0.00-10.00 sec 571 MBytes 479 Mbits/sec receiver

The same test is performed to FPR2110 (appliance mode) with extreme slow performance

sh-4.4# iperf3 -c 10.40.0.10
Connecting to host 10.40.0.10, port 5201
[ 5] local 192.168.99.10 port 39934 connected to 10.40.0.10 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 1.89 MBytes 15.9 Mbits/sec 0 98.9 KBytes
[ 5] 1.00-2.00 sec 9.15 MBytes 76.7 Mbits/sec 0 521 KBytes
[ 5] 2.00-3.00 sec 15.8 MBytes 133 Mbits/sec 137 546 KBytes
[ 5] 3.00-4.00 sec 15.1 MBytes 126 Mbits/sec 0 656 KBytes
[ 5] 4.00-5.00 sec 14.2 MBytes 119 Mbits/sec 9 512 KBytes
[ 5] 5.00-6.00 sec 14.0 MBytes 117 Mbits/sec 0 548 KBytes
[ 5] 6.00-7.00 sec 13.1 MBytes 110 Mbits/sec 0 570 KBytes
[ 5] 7.00-8.00 sec 14.6 MBytes 122 Mbits/sec 0 584 KBytes
[ 5] 8.00-9.00 sec 14.9 MBytes 125 Mbits/sec 0 589 KBytes
[ 5] 9.00-10.00 sec 15.1 MBytes 127 Mbits/sec 0 589 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 128 MBytes 107 Mbits/sec 146 sender
[ 5] 0.00-10.00 sec 125 MBytes 105 Mbits/sec receiver

if FPR2110 configure with Platform Mode same test decreses to 80Mbit (instead 750Mbit of ASA5512-X)

What is going wrong with Firepower 2110 DECRYPTION ?

marce1000 · ‎07-21-2022

- FYI : https://bst.cisco.com/bugsearch/bug/CSCvp25274

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

kerstin-534 · ‎07-22-2022

One IPERF3 stream has 25Mbit decryption, 25 IPERF3 streams have 80Mbit decryption in Appliance Mode. Noting wrong with hardware or software, I can reproduce it with different software versions both on different boxes. ASA 5512-X has with one IPERF3 stream 750Mbit. So what is going wrong with this virtualized Firewall solution.

MHM Cisco World · ‎07-21-2022

reduce the MTU in interface and try test again

kerstin-534 · ‎07-22-2022

No fragments on interface visible.