Performance Overhead for Cisco ASA5505 Firewall

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
User avatar
carljokl
Member
Posts: 151
Joined: Fri Jun 20, 2008 11:09 am
Location: London, UK
Contact:

Performance Overhead for Cisco ASA5505 Firewall

Postby carljokl » Mon Aug 08, 2011 2:12 am

I was wondering if the performance overhead for the Cisco firewalls or the Cisco ASA 5505 in particular is significant?

The performance when accessing web pages at my local chapel seems quite a bit slower than I would expect. The raw ADSL connections speed says it is running at 7.5mb/s but many pages seem to load more sluggishly than would be expected at that speed.

It may well be the case that there isn't much I can do about it anyway but I am curious why the performance seems slower than I think it should be.
There are no problems, only solutions.

Aczlan
Member
Posts: 351
Joined: Sun Jun 06, 2010 4:29 pm
Location: Upstate, NY, USA

Postby Aczlan » Mon Aug 08, 2011 1:04 pm

What do http://speedtest.lds.org/ and http://www.speedtest.net/ say your speed is when you go through the firewall?

Aaron Z

User avatar
johnshaw
Senior Member
Posts: 1834
Joined: Fri Jan 19, 2007 1:55 pm
Location: Syracuse, UT

Postby johnshaw » Mon Aug 08, 2011 6:45 pm

i have found a %40 hit is normal

Aczlan
Member
Posts: 351
Joined: Sun Jun 06, 2010 4:29 pm
Location: Upstate, NY, USA

Postby Aczlan » Mon Aug 08, 2011 7:40 pm

JohnShaw wrote:i have found a %40 hit is normal


This is a complicated question, just "a 40% hit" is misleading IMO.
I work with a place which has ~40 branch locations which have Sonicwall 200, 210 and 220 units. If you turn on filtering, antivirus, antispam, antimalware and such, the throughput drops from (lets say) 50mbps (combined in/out) to 20 (combined).
So, the performance hit (and how noticeable it is) will depend greatly on what filtering is turned on and how much bandwidth you are pushing through it.
There may also be a difference depending on what speedtest you use. The church one gives me a result of ~13x3 at work and others (like http://www.speedtest.net/ ) give me 12/9 (we are on a 10x10 fiber connection)

Aaron Z

User avatar
johnshaw
Senior Member
Posts: 1834
Joined: Fri Jan 19, 2007 1:55 pm
Location: Syracuse, UT

Postby johnshaw » Mon Aug 08, 2011 8:19 pm

Aaron, I don't think the answer was at all misleading, I was answering a direct question about the ASA5505 firewall as deployed by the Church IT group in meetinghouse internet implementations. If the question had been about the PIX 501's or the 881W my answer would be different. I reach the conclusion I stated by taking the overhead percentage that the firewall seems to incur when performing timings using a test plugged in behind the firewall versus being plugged directly into DSL provider's modem/router. I have 4 meetinghouses with the ASA5505, 2 with the PIX 501, and 2 with a 881, each are configured differently and affect actual speeds differently.

It is my opinion that the ASA5505 wasn't/isn't as baked as it should be, but resources aren't being put into fixing some of the real issues due to the newer direction with the 881W. I worked with the GSD on performance issues of the ASA5505 multiple times over 6-8 months, it was long, drawn out, and painful...

If you have a FHC that is behind a ASA5505, you should consider swapping it out... performance is going to be bad or if you want it fixed, message me privately and I'll get you in touch with the ONLY guy on the GSD that can fix the issue. You can test this by hitting the URL http://new.familysearch.org (This is not a general slowness issue, it is only slowness with the specific website for newfamilysearch) - behind the ASA5505... you'll find some really funny connectivity issues, like the web page coming up in 25-35 seconds behind the firewall, but takes 2-3 seconds plugged directly into the DSL modem/router.

User avatar
carljokl
Member
Posts: 151
Joined: Fri Jun 20, 2008 11:09 am
Location: London, UK
Contact:

Postby carljokl » Tue Aug 09, 2011 6:49 am

I will do more tests. What you say makes sense in particular as the times I have noticed it most has been when presentations about family search have been done at the Chapel. This is just one computer using the connection and a projector. When showing the members how to use new family search I was left thinking to myself, the connection speed is fast enough (well above UK average but that might not be saying much) but the family search pages seem kind of sluggish loading, which I would not have expected. If you say that performance is especially bad for that it would make sense. I know that there is a special proxy system in place for accessing 3rd party subscription based websites but I would not expect that to affect the main site so much. The building has a family history centre but only a very small one (only one computer) which was intended to be a members only secondary centre to reduce travel distances for this half of the Stake.

I doubt I will be able to get the firewall sapped out. Unless it is actually broken expect I have little change of getting the FM to chance it besides, I don't think the newer units have been rolled out in the UK anywhere yet anyway.
There are no problems, only solutions.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 1 guest