Throughput across ASA

Hi experts ,
i have couple of ques on the ASA Firewall performance parameters.
a) There are some of the statistics mentioned below (highlighted in red ) from the output of "show interface " . can you please let me know what exactly does that mean and if it has anything to do with the performance degradation .Sometimes i see 255 and sometimes 0 in the brackets , what is the meaning of same ?
        input queue (curr/max packets): hardware (4/13) software (0/0)
        output queue (curr/max packets): hardware (0/2) software (0/0)
b) a snippet of " show traffic "
------------------ show traffic ------------------
outside:
        received (in 399900.042 secs):
                52447779340 packets     15890851465604 bytes
                131001 pkts/sec 39737005 bytes/sec
        transmitted (in 399900.042 secs):
                65563685590 packets     65534384569419 bytes
                163005 pkts/sec 163876000 bytes/sec
      1 minute input rate 6940 pkts/sec, 1808346 bytes/sec
      1 minute output rate 9437 pkts/sec, 10312871 bytes/sec
      1 minute drop rate, 34 pkts/sec
      5 minute input rate 6455 pkts/sec, 1635870 bytes/sec
      5 minute output rate 8578 pkts/sec, 9230665 bytes/sec
      5 minute drop rate, 32 pkts/sec
inside:
        received (in 399900.032 secs):
                71479465229 packets     67398228971523 bytes
                178002 pkts/sec 168537006 bytes/sec
        transmitted (in 399900.032 secs):
                70735709822 packets     25274565069488 bytes
                176002 pkts/sec 63202004 bytes/sec
      1 minute input rate 11815 pkts/sec, 12005507 bytes/sec
      1 minute output rate 9794 pkts/sec, 2774491 bytes/sec
      1 minute drop rate, 14 pkts/sec
      5 minute input rate 10206 pkts/sec, 9952420 bytes/sec
      5 minute output rate 8753 pkts/sec, 2568203 bytes/sec
      5 minute drop rate, 14 pkts/sec
Whats the difference between the above and the below ??
Aggregated Traffic on Physical Interface
GigabitEthernet0/0:
        received (in 945515.992 secs):
                138576555672 packets    44491901654282 bytes
                146003 pkts/sec 47055002 bytes/sec
        transmitted (in 945515.992 secs):
                177437847061 packets    187740725861881 bytes
                187003 pkts/sec 198559003 bytes/sec
      1 minute input rate 6940 pkts/sec, 1949495 bytes/sec
      1 minute output rate 9437 pkts/sec, 10486905 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 6455 pkts/sec, 1765085 bytes/sec
      5 minute output rate 8578 pkts/sec, 9388424 bytes/sec
      5 minute drop rate, 0 pkts/sec
GigabitEthernet0/1:
        received (in 945516.012 secs):
                197244220234 packets    195418264105665 bytes
                208001 pkts/sec 206678004 bytes/sec
        transmitted (in 945516.012 secs):
                185979557085 packets    70894303143811 bytes
                196001 pkts/sec 74979002 bytes/sec
      1 minute input rate 11815 pkts/sec, 12223190 bytes/sec
      1 minute output rate 9794 pkts/sec, 2966949 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 10206 pkts/sec, 10140298 bytes/sec
      5 minute output rate 8753 pkts/sec, 2739954 bytes/sec
      5 minute drop rate, 0 pkts/sec
a) While calculating the throughput to see if the traffic is exceeding or coming closer to what is mentioned in datasheet do i need to take
5 minute input rate or 1 minute input rate into consideration ??
b) As mentioned in the below document , we need to take "Aggregated Traffic on Physical Interface" into consideration , is there any reason for the same ?
https://supportforums.cisco.com/docs/DOC-12439
c) as the packet per second plays an important role while calculating throughput , how do we know what is the size of the packet ?? i mean , i think that what we calculate is the avg packet size as we cannot differentiate among packets when they hit the interface as we donot know as to which flow they belong to ?? is my understanding right ?
eg: if there are 6000 pps on an interface for that instance , it might happen that out of these 1000 are large packets and 5000 are small packets (say 64 bytes)
Jayesh

Hello Jayesh and Kureli,
Long time ago I had a case where the customer was having some performance issues and we got into the conclusion the ASA was being oversubscripted.
To answer to the second part of your questions (b)
A and b) I calculated the througtput of the security appliance by taking the bytes/seconds transmitted and received on the Aggregated Traffic on Physical Interface.
For example in your case would be like this:
GigabitEthernet0/0: 47055002 bytes/sec + 198559003 bytes/sec = 245614005 bytes/second
GigabitEthernet0/1: 206678004 bytes/sec + 74979002 bytes/sec = 281657006 bytes/second
Both of them: 527271011 bytes/second
Then you will need to convert that to Mbp/seconds for that you will need to partition that into 1024 to get the kbps and then the result into 1024 again to get the Mbps in your case would be : 502.8444 mbps
C) The ASA will see all the packets the same way (regardless of the size) so you just have to do the calculation with the amount of packets received and transmited on the Aggregated Traffic on Physical Interface.
Hope this helps you
Please rate helpful posts.
Julio!!

Similar Messages

Remote DNS server across ASA

Hi guys,
i am hoping if anyone can reply to my query below.
We have got a new batch of servers and they reside on a separate VLAN 192.168.45.x 255.255.255.0
Those servers are required to be registered on the DNS server located on the remote site (SITE 2). Please refer to the attached diagaram. We also have a DNS server in our LAN but these new servers will need to be in the domain in SITE 2
Can anyone advise if need anythin else other than the following ACLs in the ASA firewall
Access-list inside extended permit udp 192.168.45.0 255.255.255.0 host 10.10.100.150 eq 53
Access-list inside extended permit tcp 192.168.45.0 255.255.255.0 host 10.10.100.150 eq 53
Thanks
jay

The ACL entries above will allow DNS queries across the provider link from your local site. We are assuming matching entries allow the communications on the remote and and that routing etc. is all in place..
You asked however about needing to be "registered" on the DNS server and in the domain. Also your diagram mentions the server is a DHCP server and you show it configured with the helper-address in your local core switch. DHCP uses TCP ports 67 and 68. When you say domain if you are talking about a Windows domain that is another set of ports.

Waas across asa vpn

trying to run waas inline across vpn. Can see connetions made to control point but that's it. Do I need the inspect waas

you will need inspect waas. WAAS uses tcp option 21 for the auto discovery function. The ASA will remove these values by default. Inspect WAAS will allow the TCP Options to remain.
HTH,
Dan Laden

Passing GRE traffic across ASA

Hi,
I have an enviroment where I do need to pass the GRE traffic between two routers, the ASA-5510 is in between them.
Your help is appreciated. Sending a URL for similar setup, is great.
Sami

Hi,
Have you tried adding a static NAT for the router's external interface which is located behind the inside interface of the ASA ?
Example .. let's say the router which is behind the inside (higher priority) interface of the ASA is 10.10.10.10 then you could add a static as below
static (inside,outside) 10.10.10.10 10.10.10.10 mask 255.255.255.255
Note: the above assumes that the second router is behind the outside interface (lower priority) of the ASA and that the second router knows how to reach 10.10.10.10. Obviously 10.10.10.10 should also know how to get to the second router.
next you will need to allow GRE on both interfaces.
access-list inside-out permit GRE host 10.10.10.10 host
access-list outside-in permit GRE host host 10.10.10.10
access-group inside-out in interface inside
access-group outside-in in interface outside
Give it a try ..
I hope it helps .. please rate it if it does !!!

Cisco ASA throughput calculation

I have one doubt, do I have to clear the interface statistcis "clear traffic" and then take the output of "show traffic" or its to take without clearing the traffic.
Below chart displays the throughput calculated without clearing the traffic rates - clear interfaces.
And this shows that ASA 5540 supports upto 650Mbps.
As per the calculation, 1 min average is 930 Mbps and 5 mins average is 765 Mbps - all calculated in bits per second.
Please confirm on this.
Interfaces
1 min rate
5 min rate
GigabitEthernet0/0 input rate
58185440
47736515
GigabitEthernet0/0 output rate
3197278
2663940
GigabitEthernet0/1 input rate
1728440
1430846
GigabitEthernet0/1 output rate
56629199
46081438
GigabitEthernet0/2 input rate
737171
727164
GigabitEthernet0/2 output rate
1239878
1421490
GigabitEthernet0/3 input rate
146469
115973
GigabitEthernet0/3 output rate
147639
124430
Total in bytes
122011514
100301796
in MB
116.3592472
95.65524673
in Mbps
930.8739777
765.2419739
ASA 5540 supports
Up to 650 Mbps

I got your point.
But kindly look into the below threads as well.
https://supportforums.cisco.com/discussion/11359916/throughput-across-asa
Assume firewall has 3 interfaces. So according to you, it must be either the sum of all inbound traffic (1 minute interval) or the sum of all outbound traffic (1 minute interval), or the biggest of inbound or outbound.
I think this should be the one best practice to calculate the current throughput of the ASA firewall or any other device.
Please correct me if I am wrong.

1400 Bridge - Validating Throughput

Hello,
Excuse the newbie question, but I am trying to validate the throughput between a pair of Aironet 1410's. Would using the command:
dot11 dot11radio 0 linktest rate 54 packet-size 1400 count 1500 target <mac address of other end of bridge>
Work for determining throughput, or is that only validating that the packet is transmitted at 54Mbps? If this doesn't tell me throughput, is there a generally accepted method of determining throughput across a bridge?
Thanks,
Kevin

You can use a tool called iperf or use Qcheck to test for throughput.

Is it possible that 2 separate computers working on one project?

Hi,
I have the problem that 2 people must be able to work on the same project:
(not necessary at the same time)
1. Person does all the image adjustments (which is me the photographer)
2. Person does all the metadata.
The project is installed on my computer, Aperture is installed of both computers.
So,
Can 2 computers work on one Project?
(we are connected in a network via Ethernet)
Or how could this situation work?
AP would save us a lot exporting and importing (where we usual loose the iptc data along the road) if this is possible.
thanks for your help...

There was an earlier (much earlier) post regarding this same topic when Aperture first came out. If memory serves me, the answer to your question is 'no', but that answer was for your not being able to have two people working on the same project library at the same time. However, if you can place the library file on a drive that has enough throughput across a network, then I don't see why you wouldn't be able to do what you want as long as only one person access the library at a time.
However, performance is going to be your biggest issue.
Jeff Weinberg

QoS Override Per-SSID Bandwith question

Hi all,
on a WLAN there is the possibility to override the QoS Bandwidth settings.
I try to get some more information about these settings, I want to understand this. As well a customer wants to limit user data.
My question is: This override Per-SSID, are these settings on a AP basis or on the global controller basis?
The next question resulting out this will then be what if the AP is set to flex-connect with local VLAN traffic, what then?
Is there a good documentation on this?
Thanks.

This section describes BDRL of the 7.3 release. In releases 7.2 and earlier, there is only the ability to limit the downstream throughput across an SSID and per user on the Global interface. With this new feature in the 7.3 release, rate limits can be defined on both upstream and downstream traffic, as well as on a per WLAN basis. These rate limits are individually configured. The rate limits can be configured on WLAN directly instead of QoS profiles, which will override profile values.
This new feature adds the ability to define throughput limits for users on their wireless networks with a higher granularity. This ability allows setting a priority service to a particular set of clients. A potential use case for this is in hotspot situations (coffee shops, airports, etc) where a company can offer a free low-throughput service to everyone, and charge users for a high-throughput service.
Note: The enforcement of the rate limits are done on both the controller and AP.
Rate limiting is supported for APs in Local and FlexConnect mode (both Central and Local switching).
When the controller is connected and central switching is used the controller will handle the downstream enforcement of per-client rate limit only.
The AP will always handle the enforcement of the upstream traffic and per-SSID rate limit for downstream traffic.
For the locally switched environment, both upstream and downstream rate limits will be enforced on the AP. The enforcement on the AP will take place in the dot11 driver. This is where the current classification exists.
In both directions, per-client rate limit is applied/checked first and per-SSID rate limit is applied/checked second.
The WLAN rate limiting will always supercede the Global QoS setting for WLAN and user.
Rate limiting only works for TCP and UDP traffic. Other types of traffic (IPSec, GRE, ICMP, CAPWAP, etc) cannot be limited.
Only policing is implemented in the 7.3 releases.
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113682-bdr-limit-guide-00.html

Slow SFTP throughput when passed through ASA 55xx

I have an interesting scenario. I have setup two test boxes for SFTP. One in a DMZ behind an ASA inteface, and the other on our external switch. If I send a file to the one on the external switch, I get 40 Mbps on a transfer from a remote location. When I try the same transfer but using a machine in the same DMZ, I get 100 Mbps while connected to a FastEthernet switchport. When I try the same transfer from the remote location previously mentioned, to the same server even, but using SFTP, my throughput goes down to 670 KB/s. I get that same low speed even on the machine on the external switch to the DMZ. It should be much faster since there is no latency involved. It just goes to the switch to the ASA interface to the SFTP server. I even tried this across two different ASA, same result. One was a 5505, the other a 5520.
So, it seems the only limiting factor here is the ASA. Does anyone have any observations or suggestions that might help?
Thanks!

Sorry, I should have been more clear. The throughput is only reduced when the ASA is in the picture and SFTP is used. I can FTP to the same server, same application, just different protocol, and get full throughput. As soon as I select SFTP instead of FTP, the throughput drops dramatically.
I know it is not the over head on the server, because I tested an SFTP transfer from a client machine on the same LAN, and got full throughput. It is only when going through the ASA that the SFTP throughput drops by a factor of 7

ASA 5540 _ I want to ping across inside to outside for testing

ASA 5540 8.2 (5)
I have tried many combinations of command line syntax suggested in this forum but none are providing success so far.
I want to ping from the Inside Interface across to the Outside Interface and visa versa.
I have tried various ACLs as well as "inspect icmp" in the config, etc still no go.
I can ping each interface from the console command line but cannot ping across each interface.
Is this even possible ?
I am open to suggestions.
thanks
Troy
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0
ASA-5540-LAB#
ASA-5540-LAB# ping 192.168.1.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA-5540-LAB# ping 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA-5540-LAB# ping inside 192.168.1.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
ASA-5540-LAB# ping outside 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Success rate is 0 percent (0/5)
ASA-5540-LAB#

Hi Troy,
Remember that the ASA is a security device, so by design it does't support what you are trying to accomplish.
" For For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network."
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1059645
Even if you are trying to ping from the ASA since I see you are trying to do a "source" ping. The source of the packet will be an internal IP address going to the outside IP.
Luis Silva

How to determine the IPS throughput using Cisco ASA 5500 IPS Solution?

Hello there!
I´ve been desinging a solution to protect de Server Farm and I intend to use the ASA 5500 series with AIP-SSM module. There´s any tool to determine the real throughput that I need? I mean, how to determine the performance (Firewall + IPS throughput), what main points I should consinder?

If the server farm is running production levels of traffic today you can get statistics off a variety of networking devices passing the existing traffic. Switches, routers and firewalls all count every byte of traffic they pass. There are plenty of tools that can gather this traffic into tables via SNMP too, such as MRTG.
Do not average your traffic over too great a time peroid, you will miss busy hour peaks. At most, use 5 min averages.
- Bob

What to expect when ASA AIP SSM reaches maximum throughput?

Hi,
I'm just curious what happens to traffic when you have an IPS module in an ASA and it reaches the maximum throughput?
Does it allow the traffic & only inspects what it can handle? Or does it "fail" and then either allows all the traffic or block based on "fail-open" or "fail-close" configuration?
Thanks,
Brad

When the sensor (SSM or any other sensor) is oversubscribed and the sensor is monitoring Inline, then a portion of the traffic will be Dropped.
The traffic will not be allowed through if it has not been inspected.
The "fail-open", "fail-close", and "bypass" are not relevant when talking about over subscription.
The only time the "fail-open", "fail-close", or "bypass" configurations comes into play is if the sensor can not do ANY analysis (either a failure, or an upgrade in progress).

ASA THROUGHPUT

Hi,
On the data sheets it states that the throughput for a 5515-X is 1.2Gbps, does this mean the total throughput through the firewall or does this mean 1.2Gbps in both directions at the same time.
I need to purchase a firewall for a 1Gbps line.
Example:
Server1------1Gbps-----ASA----1Gbps----Server2
If both servers are transmitting and receiving at the same time does this mean I will be able to get 1Gbps in both directions at the same time or just 600Mbps. I know depending on traffic type the speed will vary, but look at this as the theoretical maximum.
Thanks
George

Hi,
I don't think the 5525 would be any use, the multiprotocol throughput speed is only 1Gbps, this would mean if I am sending 1Gbps in both directions then the ASA wouldn't be able to handle it?
1Gbps--->
Cloud ServerFarm----SP_Router-----1G VLAN Trunk-----ASA55xx------ServerFarm, Users
<---1Gbps
Doesn't the throughput figure mean total traffic going through the firewall from all the interfaces?
Regards
George

Difference between ASA-SM1 and FWSM.What is the throughput of each of them?

Can any1 tell me wat is the difference between ASA-SM1 and FWSM
and what is the throughput of it?
Thanks in advance
Khem

The FWSM is end of sale. It has been replaced by the ASA-SM1.
See the following link for details of the performance differences between the two devices:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
Don't forget to rate all posts that are helpful.

Transfer files between ASA and a host across a VPN

Hello Guys,
I have a Remote Access VPN between an ASA and a Windows PC, the issue that I'm seeing is that I can't transfer files between the ASA and my PC across the VPN.
The first time I thought that because the size of the file and some issue with my ADSL service bandwidth could be the problem. However, I tried to copy the running config of the ASA to my PC and is also impossible. I received this error:
ASA# copy running-config tftp:
Source filename [running-config]?
Address or name of remote host []? 10.10.10.2 ----> This is the address of my PC over the VPN tunnel
Destination filename [running-config]? ASA-Config04032014
Cryptochecksum: f5a9f8cb 9f63b2e5 e8c99e36 9498cb50
%Error writing tftp://10.10.10.2/ASA-Config04032014 (Timed out attempting to connect)
Does anybody had this kind of problem before?
Thanks in advance,

I was wondering if I transfer files between a PC and Mac via Ethernet cable can I reverse the transfer from a Mac to a Pc?
Yes. Start Windows File Sharing on the Mac and then access it on the PC.
(47464)

Throughput across ASA

Similar Messages

Maybe you are looking for