Wednesday, February 25, 2015
Cisco ASA 5510: Observance Of Weak Throughput Performance
I was at a customer site moving an Internet, MPLS and PRIs over to a new circuit. One of the things I came across what that the customer ASA 5510 had only 10/100 interfaces. Well, I guess you get what you pay for, right? But the Internet connection was 200Meg, so this wasnt going to work. So I decided to put a Cisco router (2800) in parallel with the ASA, do some traffic PBR, and let them get a new firewall with better throughput and interface capability. So as we were doing some testing through each device (the ASA and the router), we noticed that the performance through the 5510 was terrible. When we tested through the router, it was spot on (even though it was limited to 10/100 also on the interfaces).
Below are the upload/download results to this 200Meg circuit. Keep in mind, the ASA has 10/100 interfaces. So does the 2800 router.
THROUGH THE CISCO ASA 5510:
THROUGH THE CISCO 2800:
These are both on the same circuit, in parallel with each other. Even when I manipulate port speeds manually to try to overcome this issue, I get the same results. You can see why I would be sorely disappointed in the ASA 5510. I mean, the company relies on this firewall, not only for security, but for throughput as well.