ASA throughput depends on port location

I can hardly believe my own test results. I’m making performance tests with ASA 5550 (the one with a factory-installed 4GE module) and there is an interface pair where throughput is smaller than on other pairs.

I’m testing with iperf set to TCP and unidirectional (client-to-server, the default). I have a couple of zones and 8 physical ports. The throughput can reach 920..950 Mbit/s (provided you have two linux laptops or servers) between any two interfaces…if they are not on the same card. (One card is the mainboard itself and the other is slot1, 4GE module). However, between G0/1 and G0/3 there is a limit of cca. 650 Mbit/s and a slightly better value of about 730 Mbit/s between G1/0 and G1/2.

Underrun or overrun counters are increasing on the interface during the tests so the throttling is probably due to exceeding the hardware capacity.

I can clearly focus on the difference by organizing G0/2 and G1/2 in a redundant interface pair and let the tests run with the same settings. In this case, the same IP and firewall configuration applies to the port which is active at the moment.

interface Redundant 1
  nameif zone1
  security-level 80
  ip address x.x.x.x y.y.y.y
  member-interface G0/2
  member-interface G1/2

And the throughput varies depending on which firewall port I plug the cable in.

Software versions: 8.3(1) and 8.3(2)

Advertisement