Cisco ASA Firewall 5520 throughput

IT Guy
IT Guy used Ask the Experts™
on
i have a Cisco ASA 5520 and 500MB internet/bandwidth line, the problem is the throughput on the FW is low and it throttles the bandwidth. Execs don't want me to upgrade now so i was wondering is there some kind of add on i can use  


ASA 5520
1: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
2: Up to 2048MB RAM
3: Intel Celeron M Processor 450 2.0GHz
4: Cavium Nitrox Lite CN1010
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sr.Net.Eng
Top Expert 2011
Commented:
You are pretty much limited by the throughput of the firewall. Packet inspections slows throughput down. You could possibly make your firewall ruleset more efficient. Reducing the number of rules. Removing duplicates, etc. to help the firewall out, but other than that, you are pretty much stuck with what you have.
Ken BooneNetwork Consultant
Commented:
Below are the specs on the 5520:  You can find them here :

https://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-345385.html

You will see that the max theoretical bandwidth throughput is 450Mbps.  That is assuming no encryption, nothing fancy, small ACLs, etc..  So bottom line it is what it is and the execs have to make a decision - Live with it understanding things are going to get worse and worse over time, or spend the money and upgrade.

Now having said that... do you have a router that you manage on the outside of the firewall?  Because the problem may not be the firewall.  I know you said your internet was 500Mb/s but what is your typical usage?  200-300?  Just asking... sometimes the router on the outside of the firewall is not rated for enough throughput and that it really where the bottleneck is.

Just tossing some ideas out..

Table 3.       Cisco ASA 5520 Adaptive Security Appliance Platform Capabilities and Capacities

Feature
Description
Firewall Throughput
Up to 450 Mbps
Maximum Firewall and IPS Throughput
●  Up to 225 Mbps with AIP SSM-10
●  Up to 375 Mbps with AIP SSM-20
●  Up to 450 Mbps with AIP SSM-40
VPN Throughput
Up to 225 Mbps
Concurrent Sessions
280,000
IPsec VPN Peers
750
SSL VPN Peer License Levels*
2,10, 25, 50, 100, 250, 500, or 750
Security Contexts*
Up to 20
Interfaces
4 Gigabit Ethernet ports and 1 Fast Ethernet port
Virtual Interfaces (VLANs)
150
Scalability
VPN clustering and load balancing
High Availability
Active/Active**, Active/Standby

Author

Commented:
i am looking into another option
we have a 500 MB internet line that goes into my layer 3 switch - the 500 MB drop has 2 options for connection, one for Ethernet cable which we are using and one for Fiber

wondering if the fiber option to the Layer 3 switch will produce a higher bandwidth
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

SouljaSr.Net.Eng
Top Expert 2011

Commented:
That's quite possible, but I would assume your firewall would be behind the switch, so it would still be the bottleneck. Same results.

Author

Commented:
you are correct but figured i'll start from the top down hahaha. will share results after
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Yeah, you would still need the security of the firewall. The switch would just be a bump in the wire.
Ken BooneNetwork Consultant

Commented:
You will not see any noticeable difference in speed switching between a copper handoff vs a fiber handoff.  If they are delivering you 500Mb of internet that means they are handing it to you on a gigabit ethernet port.  That gigabit ethernet port can be electrical (Cat6) or optical (fiber), but it is still a gigabit port.  Your internet handoff is half of that port speed.  You will not notice a difference.  At the gigabit level, fiber will cost you a little more because you will need to have the fiber patch cables and the optics to support it on both sides but this cost is generally negligible.  The benefit you will get out of fiber has to do with the fact that electricity is not carrying over it.  This means that it has built in power surge protection from surges coming from the provider's equipment into yours in the case of a lightening strike or a bad power surge.  Not to say your equipment can't get hit through its own A/C or D/C adapter, but it will definitely not take a hit coming through the fiber.  Cat5/6 are all electrical so it always carries this potential.  In locations where power surges and lightening strikes are high it is normal to run fiber almost everywhere.

Author

Commented:
Ken Boone - if that's the case - i guess i'm back to the Firewall bottleneck or do you recommend looking at something else?

my dell layer 3 switch has 10 GB SFP Port but my users are connecting to gigabit layer 2 switches
Ken BooneNetwork Consultant

Commented:
So lets start by telling what the symptoms are that you see and lets go from there.  You said that the throughput on the firewall is low.. how did you determine that.  you also said it is throttling bandwidth.. again how did you determine that.

Author

Commented:
we have Cat 5 E run in our office - if i run a speed test on the user PC, i get approx 95 MB to 105 MB speed. all PC' have 1GB network cards

i figured its the FW because the throughput that is built with the FW seems to be lower than 500MB
SouljaSr.Net.Eng
Top Expert 2011

Commented:
What speed were you expecting from the test? Is the pc you tested the only one on the network at the time of the test? Was the firewall only servicing that particular pc at the time of the test? Meaning it was not dealing with it's other production responsibilities?
SouljaSr.Net.Eng
Top Expert 2011

Commented:
If you performed this test under normal production conditions. Meaning other traffic was traversing the firewall as well, I can very well see you getting those speeds.
Ken BooneNetwork Consultant

Commented:
Ok so that is not conclusive as to the problem being the firewall.  There are numerous things that could be causing that.

Duplex mismatch -somehwere in the network - firewall port - provider , switchport to PC etc..
Provider is not really provisioned for 500Mb - seen this many times.
Could be the firewall
Could be switch configuration issues lots of things.

Who is the provider?  Do they provide a speedtest site within their network?  If so that is what you should be using.

This is a test I would perform.  It is disruptive and will bring your internet down while you do it for the rest of your network.
Disconnect your firewall from the provider.  Instead connect a PC to that port and configure the PC to use the same address the WAN side of the firewall was using.  

Then run speed test to the providers speedtest server from that PC.  IF you are only getting 95-100Mb then the problem is with the provider.  If you see something in the 400+ range you know you are getting the internet speeds you should be getting.

This test lets you know right away if the problem is your network or the provider.  I would start there.

Author

Commented:
ok i will go through your recommendations and check

also looking to buy a new layer 2 switch for user patch panel - thoughts on getting this?

Cisco SG350X-48MP 48-Port Gigabit PoE Stackable Managed Switch

https://www.amazon.com/Cisco-SG350X-48MP-48-Port-Gigabit-Stackable/dp/B06XPN1FX6

Author

Commented:
i pull the trigger and got the switches Cisco SG350X-48MP 48-Port Gigabit PoE Stackable Managed Switch

Commented:
One thing you can use as to convince a replacement is that the 5520 is End of Life and End of Support. You should really move over to something new.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial