IPSec Performance of Cisco ASA 5510 as Measured by IPerf

Printer-friendly versionPDF version

Using iperf, the IPSec site-to-site throughputs of the Cisco ASA 5510 were measured at 66 Mbps for both 3DES and AES-256 encryption. In comparison, the Mercury pfSense appliance's performance was measured at 77 Mbps, and the Mars pfSense appliance's performance at 100 Mbps.

IPSec performance is one of decision factors in choosing a firewall appliance. We have measured the IPSec site-to-site performance of our systems using iperf. There were concerns that (1) our performance had been significantly lowered than Cisco ASA firewalls and (2) of different testing methodologies. It was suggested that we should test the IPSec site-to-site throughput of a Cisco ASA firewall using iperf.

Cisco ASA 5510

It was decided that we would set up two (2) Cisco ASA 5510 firewall on a back-to-back configuration. The WAN interfaces were connected by a cross-over cable. There was a PC on each LAN side of the Cisco ASA firewalls: one serves as an iperf server and the other as an iperf client.

Hardware Information

Following was the Cisco ASA hardware configuration, as seen part of the "show version" command.

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
 
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Ext: Ethernet0/0         : address is 001d.45d9.b950, irq 9
 1: Ext: Ethernet0/1         : address is 001d.45d9.b951, irq 9
 2: Ext: Ethernet0/2         : address is 001d.45d9.b952, irq 9
 3: Ext: Ethernet0/3         : address is 001d.45d9.b953, irq 9
 4: Ext: Management0/0       : address is 001d.45d9.b954, irq 11
 5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
 6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
 
Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 50
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 0
GTP/GPRS                     : Disabled
VPN Peers                    : 250
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
 
This platform has a Base license.
 
Serial Number: JMX1149L0MV
Running Activation Key: 0x3d2e6941 0xc4c29b1e 0x80534d80 0x9aec90b8 0x46239f95

ASA Configuration

Following are relevant snippets of the "show running-configuration" from one of the ASA 5510 firewalls:

...
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 208.127.150.33 255.255.255.252
!
...
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
...
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 208.127.150.34 1
...
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 208.127.150.34
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
...
tunnel-group 208.127.150.34 type ipsec-l2l
tunnel-group 208.127.150.34 ipsec-attributes
 pre-shared-key *
...

Results

Following are the results of the IPSec throughput tests compared against the Cisco 2811 and Hacom's Mercury and Mars pfSense systems.

IPSec Throughput Cisco ASA 5510 Cisco ASA 5520 Cisco 2811 Mercury
1 Ghz VIA C7
Mars
1.5Ghz Pentium-M
3DES 66 Mbps1
170 Mbps2
87 Mbps3
225 Mbps2
22 Mbps1
35 Mbps2
15 Mbps1,4
77 Mbps1,5
51 Mbps1,4
100 Mbps1,5
AES256

66 Mbps1
170 Mbps2

87 Mbps3
225 Mbps2
22 Mbps1
35 Mbps2
56 Mbps1,4
77 Mbps1,5
56 Mbps1,4
100 Mbps1,5

Notes:
1 As measured by iperf.
2 As reported in Cisco Sales Literature and Documentation
3 Estimated using the ASA 5510 data
4Without the Soekris VPN1411 VPN accelerator
5With the Soekris VPN1411 VPN accelerator

As shown in the table, the IPSec performance for the ASA 5510 were measured at 66 Mbps for 3DES and 66 Mbps for AES-256 encryption. They are very different from the official Cisco Documentation. There are two explanations for the discrepencies:

  1. The 170Mbps throughput was probably for full-duplex performance.  The iperf test was more of a half-duplex nature: one direction from server to client. To compare against the iperfdata, the quoted performance should have been halved: 85 Mbps for the ASA 5510 and 115 Mbps for the ASA 5520.
  2. Since the iperf test was conducted using the default configuration, it may reflect more of the "real-world" performance. The Cisco reported data are probably the best under ideal conditions.

Cusriously, the Cisco 2811 routers were also tested using iperf. The performance seems consistent with the "real-worl" versus "ideal conditions". There was no observed "full-duplex" versus "half-duplex" effect.

The IPSec performance of the Cisco ASA 5520 was estimated and scaled using the data from the ASA 5510 measurements.

Conclusions

From iperf perspective, both the Mercury and the Mars pfSense appliance have similar or better IPSec Site-to-Site performance than the mid-end Cisco ASA 5510 and 5520 firewalls.

The IPSec setup also seemed easier on pfSense than on the ASA. To get the Cisco IPSec site-to-site working, we had to abandon the ASDM 6.21 GUI and to use the CLI instead. Perhaps, we did not expect the configuration to be slightly different from Cisco IOS and ASA to be annoyed.

Knowledge Base: 

Comments

Not sure why your numbers are so low, but our company regularly saturates a 100Mb line with only ASA 5510's on either end. IPSec AES is in-place. CPU usage sit's around 40% durng long transfers.

I would look to see where your performance bottleneck is.

One thing I do notice is that you're not taking advantage of the ASA 5510's built-in crypto accelerator. It's activated with this line: crypto engine large-mod-accel

I have no doubt that Cisco's spec for 170Mbps one-way VPN throughput on the 5510 could be achieved through a properly configured system.