ASA 5520 not passing full interface rate traffic, or anywhere near
I have an issue where our ASA 5520 is impacting upload (from LAN to internet) speed.
We have a 100Mbps SDSL internet link and only see around 45-50 Mbps on the upload when going via the firewall, download is around 90+ Mbps so that is acceptable.
I have tested a laptop connected directly to the internet router and that give near on the 100Mbps up and down speeds, but if I put that laptop on the LAN or directly onto the firewall interface I only see 90Mbps down and 45Mbps up.
I have check that the interface speeds/duplex on the firewall, switch and laptop are correct and also checked there are no errors on the ports.
I also turned off the IPS and that made no difference.
In addition I have checked the CPU during download/upload (max):
CPU utilization for 5 seconds = 9%; 1 minute: 3%; 5 minutes: 1%
In theory the 5520 should be able to cope with this throughput:
Cisco ASA 5500 Series Model/License: 5520
Maximum firewall throughput (Mbps): 450 Mbps
Maximum firewall connections: 280,000
Maximum firewall: 12,000
Packets per second (64 byte): 320,000
Can any explain why this is the case?
I cannot see a physical issue, so it seems as though there is a config issue. I haven't changed any system parameters that would effect this, so d I need to tune the ASA?
Hardware: ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA Compact Flash, 256MB
IPS Module ASA-SSM-20 (Ver 7.0(4)E4)
I have a variety of services running on/through this firewall:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :