Cisco ASA sizing (based on capacity and feature requirements)

Posted on 2012-09-20
Last Modified: 2012-09-27
I'm looking for design documentation regarding Cisco ASA recommendations based on customer requirements. I've scoured the Cisco user & partner communities with no real luck - raw performance stats are easy (supported FW, IPS, FW+IPS bandwidth, maximum sessions, etc.), but nothing regarding CPU capacity based on active features.

A customer deployed a ASA 5510 a couple years ago - small deployment (<200 users, 50-Mbps Internet, 100 firewall/ACL rules, NAT - no IPS), and they experienced lockups, dropped packets, etc., due to CPU over-utilization. It's easy to size a box on datasheet capacities, but I haven't yet found docs/recommendations for real CPU capacity based on deployed features.

Can anyone reference design/sizing docs along these lines?

Thank you
Question by:cfan73
    LVL 12

    Expert Comment

    I don't know why the users had issues with the 5510. I use that model with 150 users, 100 mb connection, with a constant 50 mb of replication traffic plus user traffic, with hundreds of acls, inspection, ips, multiple l2l vpns, and usually 20-50 remote vpn users. I usually run about 30-40% CPU. But then again I guess it can depends I the number of connections. It can be really hard to tell for every situation. a 5510 should work in that situation, but since each situation is unique it will not hold true all the time.

    That being said, the new data sheets for the 5512 and 5515 had a spec that is supposed to show the throughout with all the features enabled.

    Author Comment

    Thank you for the response, but datasheet capabilities aren't the issue here. I'm very familiar w/ the new X-series, capacity/throughput-wise, but what I'm looking for are real world limitations and sizing recommendations for the ASA family, more focused on CPU capability.

    I use the datasheets every day, but throughput numbers don't involve CPU capacity/workload.  The problem is multiple customers don't even approach the datasheet numbers of their deployed ASA, but yet the CPU was still pegged, dropped packets, etc.

    So again, looking for CPU numbers under different workloads.

    Thank you!
    LVL 12

    Expert Comment


    This sheet has a stat named Emix which is supposed to simulate real world situations. Applying the same ratios to the Asa 5510, it would put it around 150 mbps, say 100 to be safe.

    The data sheets are constructed to give you numbers for an typical situation. If you are doing something weird, see about getting a demo unit to test it in the network. For the situation that you described you shouldn't be having issues with the CPU being maxed out with that load. Have you worked with TAC to see what the source of load is?

    Author Comment

    Yup, I've seen those datasheets for the new X-series. The customer in question is using a 5520, however, and the goal is to possibly combine services currently being provided by an EoL PIX 515 onto the 5520. I just need to determine if doing so would potentially overrun the single box.
    LVL 12

    Accepted Solution

    I would base what the firewall can do off of the number given on the spec sheet and then divided by two.

    So the ASA 5520 should be able to handle about 225 Mbps. However just keep in mind that if you have traffic going through it from the LAN to the DMZ that you will have to keep that in mind.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
    PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now