Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Single session max throughput on 5555-X

We have some ASA 5555-X firewalls running 9.1(2) with the IDS modules installed that have a pretty basic configuration used to separate multiple internal networks.  The firewalls are able to pass over a Gbps of traffic pretty easily as long as it's sourced from multiple services but if we try to do a high speed transfer such as backup to SAN running over a single UDP or TCP session the traffic seems to peg out around 400Mbps.  We can verify that the server and SAN are capable of much higher transfer speeds by putting both on the same side of the firewall so I'm convinced the firewall itself is the limiting factor here.

I was wondering if anyone has come across this before and/or has any suggestions for how to boost the speed.  I am really trying to avoid something like bridging the networks with multiple interfaces or route exporting VRFs but our DBA's are complaining nonstop about backup times in those environments.  There are no Service policy QOS settings set on those interfaces and are NAT exempt so the firewall is not doing anything what I would call special.

Thanks,

Richard Hillius

3 REPLIES

Single session max throughput on 5555-X

Hello Richard,

Well.. You could always enable QoS priority for that traffic.

Have you tried to bypass the IPS as a test? What is the result of that?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Single session max throughput on 5555-X

Thanks for the suggestions,

I have tried disabling the IPS for testing and it didn't make a difference.  I have not tried creating a service policy specificly for this traffic and enable QoS for it.  I'm not exactly sure what that would accomplish since I can get good componsite throughput if I'm running multiple backup jobs at the same time it's only when you try to maximize throughput for a single job such as a large database backup that we run into this bottleneck.  I didn't think the ASA could do per session QoS or rate limiting.

Thanks,

Richard Hillius

Single session max throughput on 5555-X

Hello Richard,

At this point it would be good you do some captures on both interfaces of the ASA in place for this traffic and then see the round trip time just to make sure the ASA is the one generating the slowness on the network.

And agree the ASA can do QoS for specific traffic (so for all traffic that you defined, not just for a single session).

Can you share the following commands:

show interface | include errrors

show cpu usage

I could start providing you comamnds but I think it's better to give you the link :

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9521.shtml

Here is what you need to undertstand about the ASA, let us know the test you performa afterwards.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
203
Views
0
Helpful
3
Replies
CreatePlease to create content