Cisco ASA5500 VPN Performance

Posted
Comments None



Just to show how quickly technology has advanced, I did some benchmarks on a Cisco ASA5505 in order to see how it would perform encrypting information into a VPN. I made a quick test network between two interfaces on an HP DL350G6, with a Ubiquiti Edge Router on one interface, and the Cisco ASA5500 on the other interface. I did one test direct between two VM’s first to get a baseline, and this is what it can do:

[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-10.03  sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-10.03  sec   327 MBytes   273 Mbits/sec                  receiver

Then I setup a VPN with AES-256 encryption, and this is what the ASA5505 can do:
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-10.05  sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-10.05  sec  5.19 MBytes  4.33 Mbits/sec                  receiver
Pretty slow, so I thought I’d try 3DES encryption. Surprisingly I had the same result
 
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-10.05  sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-10.05  sec  5.21 MBytes  4.35 Mbits/sec                  receiver

According to the ASA itself, it should be good for 25MBps:


deskwall# show crypto accelerator statistics

Crypto Accelerator Status
————————————-
[Capability] Supports hardware crypto: True Supports modular hardware crypto: False Max accelerators: 1 Max crypto throughput: 25 Mbps Max crypto connections: 10
[Global Statistics] Number of active accelerators: 1 Number of non-operational accelerators: 0 Input packets: 526230 Input bytes: 112704584 Output packets: 575180 Output error packets: 0 Output bytes: 270144780

A few tips to get this working. On the Ubiquiti Edge, the encryption settings need to match, you can do this by adjusting the advanced settings, as shown below: The Edge does not seem to differentiate between IKE and IPSEC. On the Cisco ASA make sure that the encryption settings on the IKE and IPSec both match.


Author

Comments

There are currently no comments on this article.

Comment

Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.





← Older Newer →