I'm new to the Networking world and am trying to establish a base for my network. I'm running ASA 5510 8.4(4), how can I measrue throughput ? In the ASDM, there is a nice feature for CPU, and the command show CLI also provides good info about CPU, but how can I get the throughput on a port basis ?
View 8 RepliesThe issue was about Cisco ASA5510 Sec Plus.2 Interfaces, LAN and DMZ.Both 1000 FD, no interface errors like CRC or something similar.If I start a data transfer (like FTP) or a data stream test (like Netperf), from DMZ to INSIDE I get a theoughput.If I start the same from INSIDE to DMZ (same hosts), i get a troughput almost ten times slower.If i do the same using netperf in UDP (not TCP) I get the same in both directions.
View 9 Replies View RelatedI'm not clear about the capabilities of the ASA 5510 GigE interfaces (eth0/0 and eth0/1) with an without IPSEC tunnels enabled.
This page [URL] shows a figure of 170Mbps 'Maximum 3DES/AES VPN Throughput'. Does that mean per IPSEC tunnel or for the whole interface if it is IPSEC-enabled?
Looking at the ASA spec sheets, the ASA 5510 has a firewall throughput of 300Mbps. Does this mean 300Mbps half duplex or full duplex?
We are looking to replace our current firewall. Peak traffic at the moment is 250Mbps upstream and 20Mbps downstream, max concurrent sessions is 24K. Will I need to look at a ASA 5520 for the replacement?
I am experiencing slow throughput on a L2L IPsec tunnel that we have between one of our offices on the west coast (WC) US and another on the east coast (EC) US. The tunnel endpoint on the WC resides on a 5510 and a 5545x on the EC. The DIA circuit speed on the WC is 45 Mbps and 200 Mbps on the EC. The throughput of this IPsec tunnel is maxing out at approx. 4 – 5 Mbps. The utilization of the DIA circuits at both offices is under 5% when running various FTP test transfers. Both devices have low memory and CPU utilization.
We have a 2nd office on the EC (45 Mbps DIA) which I built a tunnel on a 5510 with the WC office and it is experiencing the same slow throughput. In covering all my bases we have a colocation facility on the WC and in building a tunnel between the 2 WC offices I WAS seeing close to full line rate speeds over the tunnel. Additionally, I built a tunnel between the 2 EC offices and I saw full line rate speeds. With the physical distance between the WC & EC offices I would expect some loss in throughput speeds but I would not expect it to drop as low as 4 – 5 Mbps. In thinking something may be up with the 5510 in our WC office we shipped a 5505 to the WC office and we built the same IPsec tunnels on it and it is experiencing the same.
In working with our support vendor to try and solve the WC <-> EC throughput issue they had me change the MTU, TCP mss, DF-bit, types of encryption/hash on the IPsec tunnel but nothing has resolved it. We are not showing fragmentation or PMTU issues on the tunnel. In contacting the ISP of our WC office they mentioned that they do not have any type or rate limiting in place. Our WC ISP had a CCIE review our configurations but nothing was found.
I have two sites connected via 2901 routers to a head end with an ASA 5510, the WAN circuits are LES running at 100MB and at the head end we have a 100MB leased line. All WAN circuits are provided wires onlyby another supplier. I have setup the two 2901 routers with inside IP addresses on GE0/0 and a /30 subnet for the GE0/1 interfaces to the ASA over the LES circuit.
The LES circuits are set to 100MB but the problem I am having is that one of the 2901s will only negotiate at 10MBps Half Duplex with the ASA at 100MB Half Duplex, the other will negotiate at 100MBps Full Duplex at both ends. My WAN provider tells me both LES circuits are the same so I cannot work out why one will negotiate at 100MB Full and the other at only 10Mb Half.
At the head end I have and ASA 5510 connected to the WAN providers 100MB circuit but testing from my end sites I can only get 6MB download and 0.5MB upload on an Internet Speedtest.
I used Wireshark when downloading from my end sites and I can see lots of TCP retries and duplicates so I think this is a duplexing issue, my question is, my WAN provider is stating the issue is nothing to do with them and it is my 2901 and ASA that is at fault, they state if they connect a laptop to the LES circuit and then their leased line they get 100MB up and down.
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
I have a Cisco 881 (without wifi model) connected to a 100Mb unmanaged switch and a cable modem with a 120Mb down, 10Mb up connection. When I connect the modem directly to my laptop, I can reach the 120Mb/s down and 10Mb/s upload speed. When I connect the modem to the 881, the max download is about 30Mb/s. Upstream 10Mb is no problem. I've been trying to change the duplex and speed settings on the FastEthernet4 interface, but this has only a worsening effect. I should be able to get about 100Mb/s (since switch is only 100) right?
JAAPROUTER_HQ2#sh ruBuilding configuration...
Current configuration : 3515 bytes!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname JAAPROUTER_HQ2!boot-start-markerboot-
[Code].....
Do some have some realistic performance numbers for a ASA 5505 on a mixed setup with local internet breakout and site to site vpn ( and don't tell me 150 mbps 3des throughput on a 100 mbps ethernet) - what can be expected in a live environment where we f.ex feed it with a 100 mbps internet connection - with a site to site vpn with f.ex 20 office workers running office on a remote terminalserver and mixed local internet breakout.
View 2 Replies View RelatedWhat is the difference between IP throughput routing throughput and firewall throughput
the reason is i am trying to spec a router for a mate who is setting up an online server for an old game ultima online which will have around 300-400 people each pulling around 10kb/sec
I recommended an 880 service router but when he spoke to a guy at the shop they said this would only run at 25mb/sec and he is plugging in to a 100MB/sec line
But the current router that is a home dlink which cost at most 60 Euros on a speed tester can pull 95mb/secI just don’t get how a 60 Euros router can download quicker than a 300-400 Euro router
They said try a ASA5505 that can do 150MB/sec of firewall throughput
I'm having a throughput problem with a new ASA 5540 running version 8.2 (1). When trying to access a database server using tcp port 1521 (sqlnet) it is about 10 to 20 times slower than when the database is not behind the firewall. We've been running the same software on a database behind an ASA 5520 running version 8.0 (3) with no problems for years. When I check the cpu usage on the 5540 at the ASDM home page, it is rarely above 20% and never above 30% while this is being tested. I tried testing ftp throughput over the same interface and it was normal with ~320 Mbps average rate transferring a 500 MB file.
View 6 Replies View RelatedI have a asa5580 with multiple interfaces. To replicate me databases to another site, I mainly use two interfaces on that firewall. Those interfaces have a steady pace, around 95%.
I am wondering when I should consider that the thoughput between those two interfaces is too much? Is there a good document that could explain me clearly why?
Also I want to be sure that I won't affect the normal traffic between the other interfaces. Is there a way to garantee certain traffic over others on an ASA? I don't have any router in me setup layer 3 role is perform by asa firewalls (static routes).
How do i measure the total throughput going via 5585-X.It has the firewall througput of 5Gbps. Looking at aggregate of all the interfaces traffic going through it seems about 4gbps is going through.
I use show traffic command and add up the trasmit and receive traffic on each live interface.Is that correct method and are there any more commands?
I have a Cisco PIx firewall that is connected to a cable modem with Time warner cable. I am supposed to have 35 down and 5 up for my speed on that modem. When I bypass the firewall and connect directly to the cable modem, I get download speeds in excess of 30 and upload speeds of about 5. However, when I connect via my workstation, which goes through the PIX, I am lucky to get speeds in the 1.2 for a download and 2-3.5 for the upload. I am using a laptop to test. We have gigabyte Cat5e cabling and gigabyte switches.
Below are statements from the config.The interface lines are per below:
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
MTU outside 1500
How can i adjust this so I can make use of the 30 speed of the modem?
What the Firewall throughput is for the BEFSX41.
View 9 Replies View RelatedAs we know SNR (signal to noise ratio) is very important in communication special in wireless. So I wondering : How is SNR measured (by using practical method)?
View 2 Replies View RelatedHow to find bandwidth utlization and who consumed bandwidth lot.? Basically ,I would use speedtest.net for speedtest and will ask from ISP for bandwidth utilization.
Is there any way that to measure bandwidth utilization and who consumed lot based on IPaddress?
I would like to measure amount of data I have uploaded and downloaded on the internet since last router reboot. I see there is a STATISTICS under STATUS, which lists the packets, but how big is a packet? And can I just take the values under Receive and Transmit (row called Internet) and multiply with packet size?
View 1 Replies View RelatedI have an XFS 8300 desktop having a TP-Link Model No. TL-WDN4800 dual band wireless adapter card. The box of the card states that the fastest wireless speed available is 450 Mbps. I am using Comcast cable as my internet service provider. Is it possible to measure how fast my wireless connection speed when downloading from the internet? If yes, how?
View 1 Replies View RelatedHow can I measure a respond time from a switchport to another? What I intend to do is to measure packets transmission from a server. I have a Cisco 3750G in stack, and the server is connecting to it with a 1GE NIC. How do I measure from Cisco prospective? Any tools available from Cisco to measure such respond time? I have a PRTG on bandwidth management on this particular server switchport and it is around 45-70Mbps, which is less than 10% of 1GE interface.
View 3 Replies View RelatedWe have two devices connected through a several miles DWDM connection (two switchports 10GBSR).We would like to measure the delay for that connection.
View 4 Replies View Relatedhow to measure the router or swith capacity?
Ex: Actually my problem is, i'm using Dlink 8 port switch, and 40 computers connected indirectly to that switch, few times getting issues like packet drops, internet connecting & disconnecting etc. so i want to know either the switch is capable or not.
The question is apparently simple. A network is given, consisting of
- 1 network core switch: HP 5500-EI (Layer3)
- 4 access switches: HP 5120-EI (Layer2)
They are connected in the shape of a star (the core switch in the center)The task is to measure the occupation rate of this network on a per-VLAN basis.
For example : To be able to generate statistics like: During the last week - Monday to Sunday - the netowork occupation with VLAN 10 traffic was 30% and VLAN 60 traffic was 70%.
Soon my town will be getting fiber to the home, so I've already upgraded my home network to handle this. One of the changes is that I'll no longer use my powerline adapters to stream video, but to transfer the IPTV data. For streaming I wanted to switch to Wifi, so I bought the E4200 and compatible adapters and bridges (see subject).The powerline adapters have a bandwidth of 200Mbps, of which I get an actual 120. This works fine except for full 1080p, that stutters. The E4200 has a maximum of 450Mbps, but the adapters and bridge only do 300, but that should be sufficient. So after replugging my network, I tested it last night by playing a 350MB 45 minute episode of a TV series... And it stuttered!
Doing the math, that would mean the connection was less that 1Mbps! The WUSB600N and E3200 were (direct line) about 4 meters apart, separated by a concrete floor. What is the best way to measure the actual connection speed?And more important; since the E3200 does both 2.4GHz and 5GHz, how can I tell which band the adapter is using? I want to use the 5Ghz band, since that is fairly empty compared to the 2.4Ghz. However, I've configured both with the same ID, as the E4200 manual instructs, but I think it may be better to separate them?
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
HQ-ASA-01# show running-config
: Saved
:
[Code]......
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).
I have a ASA 5510 firewall with CSC module and Security Plus license for CSC module.Will you tell me how to configure my firewall to send emails to particular mail ID when someone login into the firewall or any virus attacks from outside.
View 6 Replies View RelatedWe were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
View 1 Replies View RelatedI would just like to to open UDP port 123 in the ASA 5510 Firewall so that our Primary Domain Controller could use this port to sync time with an external time source. We have already added an access rule for this port under the firewall configuration in ASDM 6.4 and this port was also allowed in the inbound and outbound rule of the PDC's Firewall but it seems that it was still blocked.
View 23 Replies View RelatedI am quite new to firewall, in my company one asa 5510 firewall is there.I configured inside, outside, dns, dhcp and nating.I need to config bandwidth limit (1Mbps) for inside port and I restruct like facebook, youtube and pornsites..And I heard that some subscription is required, really is it required?
View 1 Replies View RelatedI have an ASA 5510 in a live environment. Up til a short while ago I could access this via the ASDM and ssh. However I can no longer connect to it via eithier. When I access It via SSH I get a disclaimer saying the following
*** You have entered a restricted zone! Authorized access only!!! Disconnect immediately if you are not authorized user! ***
It then cuts me off.
When I try to access the ASDM I get the following
The firewall is running all its services without a problem and I can ping the device without any issues. Also none of the config (to my knpowledge has been changed). I set up a console session and http server enable is still there with
http 192.168.200.0 255.255.255.0 inside
I have just configured identity firewall on our ASA 5510.I have 3 nodes that authenticates against Active Directory, using the Windows Server 2008 R2 builtin Network Policy Server: A laptop, a stationary PC, and a Android Phone. All 3 nodes are authenticated using the same user/password.
Now, in ASDM -> Monitoring -> Properties -> Identity -> Users, I can see two of the nodes with my user name attached to it, namely the laptop and the stationary PC.But not the Android phone.
Then it dawned on me. To set up the ADAgent properly, you have to apply 2 group policy entries. Unfortunately, those 2 entries are applied to the Computer Configuraton part of the Group Policy.This means that your COMPUTER has to be a member of your domain for USER IDENTITY to work.So my Android phone and other nodes not a member of the AD Machine Store will never be detected by identity rules, and can roam the network free.
I'm trying to install an ASA 5510 transparent firewall using ASA version 8.4(3)9 but I don't understand how traffic will ever pass through my firewall if both interfaces are on the same sub net(V lan) as the host and it's default gateway? The reason I'm doing this is were installing UAG (or Direct Access) and the UAG appliance need to have public IP's but still be behind a firewall (see attached diagram).
Looking at the documentation (which all seems to be for 5505's running 8.2) it almost seems like i need to have the transparent firewall 'in-line' to the ISP router?, but this router services another IP address range on another v lan for other (routed) firewalls (not shown on diagram) so putting it 'in-line' is not possible. Surely this can't be the case can it? If not how is it supposed to be cabled up and configured so packets go through the firewall?