Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
1
Replies

Performance of ASA

Hemakumar Sampath
Level 1
Level 1

‎02-26-2014 01:25 AM - edited ‎03-11-2019 08:50 PM

Hi Team,

We have upgraded the ASA code from 8.X to 9.X, Post this i have cleared the nonat & policy ACL which was enabled in old code, nearly 6000 unwanted lines from the ASA has been cleared, what would be benefit of this. Will there be any command where i can see the benefit of removing this stale entries.

Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎03-01-2014 03:00 AM

You could check the CPU and memory usage if you remember what they were previously.  Basically interface ACLs are checked top to bottom until a match is found. Even remarks which you enter to describe an ACL is checked.  The more ACL entries (ACE) the ASA needs to check for a match, the more CPU and memory needs to be allocated to this action.  Also if you have logging enabled for the ACEs then that will also require a small amout of CPU, but multiply that by 6000, the small amount becomes a big amount.

The same applies to policy NAT.  The ACEs are checked top to bottom for a match.  So you should see some improvement in the ASA performance.

show cpu

show cpu detail

show memory

show memory detail

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card