Cisco ASA5500 VPN Performance

Comments None

Edit – Feb 9 2018:
I did another test, to a StrongSwan EndPoint, over the internet (to a VPS, and was able to transfer a 111Mbyte file in 30s, 3.7MByte/s or 29.6Megabit/s, which is limited by my internet connection. The ASA5505, is still useful for many people. I’m not sure why it was so slow in the below test.

Just to show how quickly technology has advanced, I did some benchmarks on a Cisco ASA5505 in order to see how it would perform encrypting information into a VPN. I made a quick test network between two interfaces on an HP DL350G6, with a Ubiquiti Edge Router on one interface, and the Cisco ASA5500 on the other interface. I did one test direct between two VM’s first to get a baseline, and this is what it can do:
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-10.03  sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-10.03  sec   327 MBytes   273 Mbits/sec                  receiver
Then I setup a VPN with AES-256 encryption, and this is what the ASA5505 can do:
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-10.05  sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-10.05  sec  5.19 MBytes  4.33 Mbits/sec                  receiver
Pretty slow, so I thought I’d try 3DES encryption. Surprisingly I had the same result
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-10.05  sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-10.05  sec  5.21 MBytes  4.35 Mbits/sec                  receiver
According to the ASA itself, it should be good for 25MBps:
deskwall# show crypto accelerator statistics

Crypto Accelerator Status
   Supports hardware crypto: True
   Supports modular hardware crypto: False
   Max accelerators: 1
   Max crypto throughput: 25 Mbps
   Max crypto connections: 10
[Global Statistics]
   Number of active accelerators: 1
   Number of non-operational accelerators: 0
   Input packets: 526230
   Input bytes: 112704584
   Output packets: 575180
   Output error packets: 0
   Output bytes: 270144780
A few tips to get this working. On the Ubiquiti Edge, the encryption settings need to match, you can do this by adjusting the advanced settings, as shown below: The Edge does not seem to differentiate between IKE and IPSEC. On the Cisco ASA make sure that the encryption settings on the IKE and IPSec both match.



There are currently no comments on this article.


Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.

← Older Newer →