cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1688
Views
0
Helpful
5
Replies

Determine if ASA resources are maxed out....

will
Level 3
Level 3

Cisco famously quotes max firewall throughput specs on all ASA models, but how do you tell if your firewall is reaching this maximum throughput?

For example, there is a 300Mbps max throughput number on the asa 5510 in the spec sheet. How do I know if firewall resources are nearing max capacity? Will CPU go first? Is internal data plane limited in code somewhere?

There is an interface called Internal-Data0/0. If I watch this utilization, will it show me what I want?

5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

You can first start gathering information of your firewall  and create sort of a baseline  to compare and learn what type of traffic traverses firewall   ,    there are ways you can gather firewall performance info  through snmp and snmp/traps polling  tools to  give you clear picture of your firewall health during the course of X amount of time.

I would first look into implemeting some monitoring tools ,

http://www.cisco.com/en/US/partner/docs/security/asa/asa72/configuration/guide/monitor.html#wp1042019

Firewall performance/resources depends on may factors, for example  types of encryptopm methods used in Ipsec and numbers of tunnels and traffic traversing the tunnels will also put load on the firewalls possibly degrading performance if firewall type is not meant to  cope with that load, you can collect all this information using snmp monitoring tools to capture  all angles of the firewall performance .

You can  also retreave  real time  performance information from command line,  start with this link bellow .

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

There are other tools you can use  like netflow introduced in code 8.2,  again these are simply tools to use and gather information to look at and determined the health of firewall performance and its resources .

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/netflow/netflow.html#wp1028493

HTH

Regards

Jorge Rodriguez

Hey HTH, thx for reply, i guess that is a little vague, but my questions was a little vague. I want to specifically know how Cisco gets the maximum throughput number. Is there some sort of code-based throttle built-in? If it is just based on some likely real-world test, then what are the test parameters? I was also wondering what this internal "network" interfaces really are and is it worthwhile to watch them. The specific ASA in question doesn't have an interface or CPU bottleneck, but the Internal-Data0/0 interface is running pretty high in utilization. So I was wondering what that is?

thx,

Will

Hi Will, 

In short to answer your question  I have not come accross a link  here detailing  what Cisco used to measure their  Firewalls  performance throughput reports , I'll let that part  of your question  to someone else who may have a link  answer .  There may be however more than one  third party  companies out there  that  have conducted  benchmark reports for  a variety of firewall vendors..  for example http://www.miercom.com/?url=reports/&v=16&tf=0&st=v      provides  benchmark test with details on what they used for the test  on ASA5580 model  .

As for your other question about the interface

"I was also wondering what this internal "network" interfaces really are and is it worthwhile to watch them. The specific ASA in question doesn't have an interface or CPU bottleneck, but the Internal-Data0/0 interface is running pretty high in utilization. So I was wondering what that is?"

Where are you seeing this?  can you post  or attached a screen shot of this .

Like I said before ,  to spod an issue on the firewall  as you said interface or CPU issues you have the look at the firewall as a whole ,  did you bother to look at the link provided ?  here is the link again,  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

Regards

Jorge

BTW  HTH means ( Hope to help , or Hope this helps )

Jorge Rodriguez

Jorge, I am using a graphing utility, which scans some preset SNMP OIDS to determine what are all the ASA interfaces. It pick up two interfaces, which are not normally exposed when you do "sh int" for example.

Internal-Data0/0 | Ip: | Eth: 00-00-00-01-00-02

Virtual254'-interface' | Ip: | Eth: 00-00-00-00-00-00

So I do not know what these are, only that Cisco has then embedded into the OS, and they are useful for something. I am almost thinking that Data0/0 is the backplane of the 4 port Ethernet module in the ASA. It seems like its aggregating everything into that variable, WRT to speeds.

The internal Data interfaces are the backplane interfaces of the ASA. You should view them as the interfaces that pass data internally for processing. Practically they will aggregate traffic.

Now as for the test, there are various tests that are run. The name values are run using very few UDP connection with 1500byte packets. But the "real-world" numbers in the specs that are a little lower are with regular http and "everyday traffic" benchmarks with smaller packets.

I hope it helps a little bit.

PK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: