We have some ASA 5555-X firewalls running 9.1(2) with the IDS modules installed that have a pretty basic configuration used to separate multiple internal networks. The firewalls are able to pass over a Gbps of traffic pretty easily as long as it's sourced from multiple services but if we try to do a high speed transfer such as backup to SAN running over a single UDP or TCP session the traffic seems to peg out around 400Mbps. We can verify that the server and SAN are capable of much higher transfer speeds by putting both on the same side of the firewall so I'm convinced the firewall itself is the limiting factor here.
I was wondering if anyone has come across this before and/or has any suggestions for how to boost the speed. I am really trying to avoid something like bridging the networks with multiple interfaces or route exporting VRFs but our DBA's are complaining nonstop about backup times in those environments. There are no Service policy QOS settings set on those interfaces and are NAT exempt so the firewall is not doing anything what I would call special.
I have tried disabling the IPS for testing and it didn't make a difference. I have not tried creating a service policy specificly for this traffic and enable QoS for it. I'm not exactly sure what that would accomplish since I can get good componsite throughput if I'm running multiple backup jobs at the same time it's only when you try to maximize throughput for a single job such as a large database backup that we run into this bottleneck. I didn't think the ASA could do per session QoS or rate limiting.
At this point it would be good you do some captures on both interfaces of the ASA in place for this traffic and then see the round trip time just to make sure the ASA is the one generating the slowness on the network.
And agree the ASA can do QoS for specific traffic (so for all traffic that you defined, not just for a single session).
Can you share the following commands:
show interface | include errrors
show cpu usage
I could start providing you comamnds but I think it's better to give you the link :
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :