Cisco ASA Firewall 5520 throughput

i have a Cisco ASA 5520 and 500MB internet/bandwidth line, the problem is the throughput on the FW is low and it throttles the bandwidth. Execs don't want me to upgrade now so i was wondering is there some kind of add on i can use  


ASA 5520
1: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
2: Up to 2048MB RAM
3: Intel Celeron M Processor 450 2.0GHz
4: Cavium Nitrox Lite CN1010
LVL 2
IT GuyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soulja53 6F 75 6C 6A 61 Commented:
You are pretty much limited by the throughput of the firewall. Packet inspections slows throughput down. You could possibly make your firewall ruleset more efficient. Reducing the number of rules. Removing duplicates, etc. to help the firewall out, but other than that, you are pretty much stuck with what you have.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ken BooneNetwork ConsultantCommented:
Below are the specs on the 5520:  You can find them here :

https://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-345385.html

You will see that the max theoretical bandwidth throughput is 450Mbps.  That is assuming no encryption, nothing fancy, small ACLs, etc..  So bottom line it is what it is and the execs have to make a decision - Live with it understanding things are going to get worse and worse over time, or spend the money and upgrade.

Now having said that... do you have a router that you manage on the outside of the firewall?  Because the problem may not be the firewall.  I know you said your internet was 500Mb/s but what is your typical usage?  200-300?  Just asking... sometimes the router on the outside of the firewall is not rated for enough throughput and that it really where the bottleneck is.

Just tossing some ideas out..

Table 3.       Cisco ASA 5520 Adaptive Security Appliance Platform Capabilities and Capacities

Feature
Description
Firewall Throughput
Up to 450 Mbps
Maximum Firewall and IPS Throughput
●  Up to 225 Mbps with AIP SSM-10
●  Up to 375 Mbps with AIP SSM-20
●  Up to 450 Mbps with AIP SSM-40
VPN Throughput
Up to 225 Mbps
Concurrent Sessions
280,000
IPsec VPN Peers
750
SSL VPN Peer License Levels*
2,10, 25, 50, 100, 250, 500, or 750
Security Contexts*
Up to 20
Interfaces
4 Gigabit Ethernet ports and 1 Fast Ethernet port
Virtual Interfaces (VLANs)
150
Scalability
VPN clustering and load balancing
High Availability
Active/Active**, Active/Standby
IT GuyAuthor Commented:
i am looking into another option
we have a 500 MB internet line that goes into my layer 3 switch - the 500 MB drop has 2 options for connection, one for Ethernet cable which we are using and one for Fiber

wondering if the fiber option to the Layer 3 switch will produce a higher bandwidth
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Soulja53 6F 75 6C 6A 61 Commented:
That's quite possible, but I would assume your firewall would be behind the switch, so it would still be the bottleneck. Same results.
IT GuyAuthor Commented:
you are correct but figured i'll start from the top down hahaha. will share results after
Soulja53 6F 75 6C 6A 61 Commented:
Yeah, you would still need the security of the firewall. The switch would just be a bump in the wire.
Ken BooneNetwork ConsultantCommented:
You will not see any noticeable difference in speed switching between a copper handoff vs a fiber handoff.  If they are delivering you 500Mb of internet that means they are handing it to you on a gigabit ethernet port.  That gigabit ethernet port can be electrical (Cat6) or optical (fiber), but it is still a gigabit port.  Your internet handoff is half of that port speed.  You will not notice a difference.  At the gigabit level, fiber will cost you a little more because you will need to have the fiber patch cables and the optics to support it on both sides but this cost is generally negligible.  The benefit you will get out of fiber has to do with the fact that electricity is not carrying over it.  This means that it has built in power surge protection from surges coming from the provider's equipment into yours in the case of a lightening strike or a bad power surge.  Not to say your equipment can't get hit through its own A/C or D/C adapter, but it will definitely not take a hit coming through the fiber.  Cat5/6 are all electrical so it always carries this potential.  In locations where power surges and lightening strikes are high it is normal to run fiber almost everywhere.
IT GuyAuthor Commented:
Ken Boone - if that's the case - i guess i'm back to the Firewall bottleneck or do you recommend looking at something else?

my dell layer 3 switch has 10 GB SFP Port but my users are connecting to gigabit layer 2 switches
Ken BooneNetwork ConsultantCommented:
So lets start by telling what the symptoms are that you see and lets go from there.  You said that the throughput on the firewall is low.. how did you determine that.  you also said it is throttling bandwidth.. again how did you determine that.
IT GuyAuthor Commented:
we have Cat 5 E run in our office - if i run a speed test on the user PC, i get approx 95 MB to 105 MB speed. all PC' have 1GB network cards

i figured its the FW because the throughput that is built with the FW seems to be lower than 500MB
Soulja53 6F 75 6C 6A 61 Commented:
What speed were you expecting from the test? Is the pc you tested the only one on the network at the time of the test? Was the firewall only servicing that particular pc at the time of the test? Meaning it was not dealing with it's other production responsibilities?
Soulja53 6F 75 6C 6A 61 Commented:
If you performed this test under normal production conditions. Meaning other traffic was traversing the firewall as well, I can very well see you getting those speeds.
Ken BooneNetwork ConsultantCommented:
Ok so that is not conclusive as to the problem being the firewall.  There are numerous things that could be causing that.

Duplex mismatch -somehwere in the network - firewall port - provider , switchport to PC etc..
Provider is not really provisioned for 500Mb - seen this many times.
Could be the firewall
Could be switch configuration issues lots of things.

Who is the provider?  Do they provide a speedtest site within their network?  If so that is what you should be using.

This is a test I would perform.  It is disruptive and will bring your internet down while you do it for the rest of your network.
Disconnect your firewall from the provider.  Instead connect a PC to that port and configure the PC to use the same address the WAN side of the firewall was using.  

Then run speed test to the providers speedtest server from that PC.  IF you are only getting 95-100Mb then the problem is with the provider.  If you see something in the 400+ range you know you are getting the internet speeds you should be getting.

This test lets you know right away if the problem is your network or the provider.  I would start there.
IT GuyAuthor Commented:
ok i will go through your recommendations and check

also looking to buy a new layer 2 switch for user patch panel - thoughts on getting this?

Cisco SG350X-48MP 48-Port Gigabit PoE Stackable Managed Switch

https://www.amazon.com/Cisco-SG350X-48MP-48-Port-Gigabit-Stackable/dp/B06XPN1FX6
IT GuyAuthor Commented:
i pull the trigger and got the switches Cisco SG350X-48MP 48-Port Gigabit PoE Stackable Managed Switch
Miles MCommented:
One thing you can use as to convince a replacement is that the 5520 is End of Life and End of Support. You should really move over to something new.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.