Wednesday, February 25, 2015

Cisco ASA 5510: Observance Of Weak Throughput Performance

I was at a customer site moving an Internet, MPLS and PRIs over to a new circuit.  One of the things I came across what that the customer ASA 5510 had only 10/100 interfaces.  Well, I guess you get what you pay for, right?  But the Internet connection was 200Meg, so this wasnt going to work.  So I decided to put a Cisco router (2800) in parallel with the ASA, do some traffic PBR, and let them get a new firewall with better throughput and interface capability.  So as we were doing some testing through each device (the ASA and the router), we noticed that the performance through the 5510 was terrible.  When we tested through the router, it was spot on (even though it was limited to 10/100 also on the interfaces).
Below are the upload/download results to this 200Meg circuit.  Keep in mind, the ASA has 10/100 interfaces.  So does the 2800 router.


These are both on the same circuit, in parallel with each other.  Even when I manipulate port speeds manually to try to overcome this issue, I get the same results.  You can see why I would be sorely disappointed in the ASA 5510.  I mean, the company relies on this firewall, not only for security, but for throughput as well.  

1 comment:

  1. 2800 SERIES has got a different motherboard archiecture ...compared to 5 t510 ASA.

    the most important things are :

    1. check the design diagrams and compare them at architectural level.
    2. asa has built in securty checks which does affect performance rather than regular 2800 which does not imply inspections ( the 2800 os is based on packet forwarding and not based with security in mind ; on the other hand asa 5510 is a security os and performance is second priority)

    Hope above 2 points will give good insight ...


Your comment will be reviewed for approval. Thank you for submitting your comments.