Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA - Firewall and VPN on same device

I have a client that is attempting to both firewall, and VPN (remote access and site to site) functions on a single 5510 unit. They seem to have problem when the Internet bandwidth becomes congested and the remote access VPN user suffer badly from packet loss. It gets to the point that remote access VPN clients have applications hang on them. While I do expect to have some packet loss and slow down when the Internet connection gets saturated it seems to be more severe on the VPN then the firewall traffic.

The other issue is that the client has a VPN 3000 sitting in parallel with the ASA and they plan to migrate users from it to the ASA but they believe something is wrong with the ASA. The VPN 3000 is connected to the same Internet connection and when the link becomes saturated the remote access users do not experience the same level of packet loss / slow downs / or application hanging on them.

Anyone else seen anything like this?




Re: ASA - Firewall and VPN on same device

Bob -

First, did you verify that the ASA you bought could support the amount of users/traffic you have? The VPN users will always experience poorer performance than the internal users. This is because the OS prefers this traffic over VPN. Basically, if the firewall's resources are saturated, it begins limiting resources to "less important" stuff like VPN traffic and administrative connections. The last thing it will quit doind is passing inside to any traffic.

I wouldn't recommend adding the concentrator users until after you resolve the other problem. If you do a "show asp drop" on the ASA, do you see any of the counters going up very quickly (besides the matched deny rule one)? If so, you may have a configuration issue on your network. Also, you should do a "show interface" on the ASA and verify that the interfaces are not getting errors/collions.


New Member

Re: ASA - Firewall and VPN on same device


Thanks for the reply. Yes the ASA should be to handle the traffic load and amount of VPN users.

It does react the way you stated. Meaning when the link gets saturated it prefers the "firewall" traffic over the VPN traffic. I would think that if the client believes that VPN traffic is of higher priority then firewall traffic then I should be "police" the firewall traffic or implement priority queueing for the VPN traffic.

Have you done either of these and achieved your desired goals?

Also do have any links to docs discussing the ASA preference to passing firewall traffic over VPN and other "less important" traffic?

Thanks again,