Cisco ASA sizing (based on capacity and feature requirements)

Posted on 2012-09-20
Medium Priority
Last Modified: 2012-09-27
I'm looking for design documentation regarding Cisco ASA recommendations based on customer requirements. I've scoured the Cisco user & partner communities with no real luck - raw performance stats are easy (supported FW, IPS, FW+IPS bandwidth, maximum sessions, etc.), but nothing regarding CPU capacity based on active features.

A customer deployed a ASA 5510 a couple years ago - small deployment (<200 users, 50-Mbps Internet, 100 firewall/ACL rules, NAT - no IPS), and they experienced lockups, dropped packets, etc., due to CPU over-utilization. It's easy to size a box on datasheet capacities, but I haven't yet found docs/recommendations for real CPU capacity based on deployed features.

Can anyone reference design/sizing docs along these lines?

Thank you
Question by:cfan73
  • 3
  • 2
LVL 12

Expert Comment

ID: 38420389
I don't know why the users had issues with the 5510. I use that model with 150 users, 100 mb connection, with a constant 50 mb of replication traffic plus user traffic, with hundreds of acls, inspection, ips, multiple l2l vpns, and usually 20-50 remote vpn users. I usually run about 30-40% CPU. But then again I guess it can depends I the number of connections. It can be really hard to tell for every situation. a 5510 should work in that situation, but since each situation is unique it will not hold true all the time.

That being said, the new data sheets for the 5512 and 5515 had a spec that is supposed to show the throughout with all the features enabled.

Author Comment

ID: 38420422
Thank you for the response, but datasheet capabilities aren't the issue here. I'm very familiar w/ the new X-series, capacity/throughput-wise, but what I'm looking for are real world limitations and sizing recommendations for the ASA family, more focused on CPU capability.

I use the datasheets every day, but throughput numbers don't involve CPU capacity/workload.  The problem is multiple customers don't even approach the datasheet numbers of their deployed ASA, but yet the CPU was still pegged, dropped packets, etc.

So again, looking for CPU numbers under different workloads.

Thank you!
LVL 12

Expert Comment

ID: 38420452

This sheet has a stat named Emix which is supposed to simulate real world situations. Applying the same ratios to the Asa 5510, it would put it around 150 mbps, say 100 to be safe.

The data sheets are constructed to give you numbers for an typical situation. If you are doing something weird, see about getting a demo unit to test it in the network. For the situation that you described you shouldn't be having issues with the CPU being maxed out with that load. Have you worked with TAC to see what the source of load is?

Author Comment

ID: 38425212
Yup, I've seen those datasheets for the new X-series. The customer in question is using a 5520, however, and the goal is to possibly combine services currently being provided by an EoL PIX 515 onto the 5520. I just need to determine if doing so would potentially overrun the single box.
LVL 12

Accepted Solution

ryan80 earned 2000 total points
ID: 38428664
I would base what the firewall can do off of the number given on the spec sheet and then divided by two.

So the ASA 5520 should be able to handle about 225 Mbps. However just keep in mind that if you have traffic going through it from the LAN to the DMZ that you will have to keep that in mind.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question