My company has a gigabit fiber connection at 2 sites. We originally had four Cisco ASA 5520s (1 active/standby at each site) and the VPN throughput using 3DES/SHA was 200-250Mbps between sites, which is the performance limit of the 5520 according to the Cisco site. We needed to upgrade in order to utilize more of our gigabit line so I got four of the Cisco ASA 5550s (active/standby at each site as well). According to Cisco site the maximum VPN throughput is about 450Mbps. I set up the new ASAs with the exact same configuration and they are still only getting between 200-250Mbps throughput. I don't think the bottleneck is either of the connections because I can download from the web at up to 75MB/sec at both sites. Also, although they aren't a point-to-point gigabit line, they are very close geographically and I know there isn't any bottleneck between them. I tried changing around the IPSec configuration between 3DES, AES 128, and AES 256 but all have almost identical performance. I even tried DES just for kicks but no difference in performance. Here is snipet from my VPN config:
From my experience, the firewalls don't have an exotic configuration. If it means anything, the access lists aren't that large (about 100 lines at each site). Also the tests produce the same results day or night. Any ideas of what can be causing this? I probably need to just open a ticket with Cisco TAC but wanted to see if anyone had suggestions first. Thanks!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :