[c-nsp] ASA real world throughput
Adrian Minta
adrian.minta at gmail.com
Sat Aug 22 07:41:38 EDT 2009
vince anton wrote:
> Hi All,
>
> im looking at deploying an ASA cluster and scratching my head in terms of
> throughputs.
>
> the data sheet for the 5520 says 450Mbps clear text and 250Mbps encrypted
> (vpn)
> and for the 5500 its 1.2Gbps clear text and 450Mbps encrypted
>
> whats the rule of thumb for ASA boxes to get real values from the data sheet
> values ?
>
>
On two ASA 5520 firewalls we see errors on interfaces when traffic gets
near 70Mbps, probably cause by traffic burst. The boxes are used only
for port blocking. No VPN or deep packet inspection, not even for NAT,
so I don't know anything about VPN performance for 5520, or about deep
packet inspection performance either.
Somewhere on the net somebody stated that this is cause by a problematic
hardware design: all the four interfaces shares the same interrupt. I
guess this is why cisco suggested for ASA5550 to use one of the onboard
interfaces for input and one of the extension interfaces for output:
http://tinyurl.com/mxyj63
FW# sh int gi 0/1
Interface GigabitEthernet0/1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Available but not configured via nameif
MAC address 001b.d5e8.d9d5, MTU not set
IP address unassigned
10920305967 packets input, 8396998405240 bytes, 0 no buffer
Received 15584 broadcasts, 0 runts, 0 giants
148151 input errors, 0 CRC, 0 frame, 148151 overrun, 0 ignored, 0 abort
0 L2 decode drops
11677898365 packets output, 11268008541750 bytes, 288217 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (curr/max packets): hardware (0/33) software (0/0)
output queue (curr/max packets): hardware (0/255) software (0/0)
More information about the cisco-nsp
mailing list