Verifiying IPsec and SSL Performance of ASA Firewall

It’s difficult to a get any documentation from Cisco that confirms the forwarding performance of the ASA firewall. However, once you have got a unit, the “show crypto acclerator statistics” is a handy way to verify and check the hardware performance of your ASA.

I think that most of this output is self-explanatory so I’m not going to talk about it at length.

  • the crypto accelerator is a chip on the motherboard dedicated to processing crypto primitives
  • the old PIX performed crypto on the Intel CPU – that’s why they were relatively limited in performance
  • this command exposes some data about the crypto performance
  • Note that the ‘show cpu’ command does not directly relate to the crypto performance, but it doesrelate to the firewall performance since those functions are done in CPU.

fw-01# sh cry accelerator statistics

Crypto Accelerator Status
-------------------------
[Capability]
Supports hardware crypto: True
Supports modular hardware crypto: False
Max accelerators: 1
Max crypto throughput: 325 Mbps
Max crypto connections: 5000

[Global Statistics]
Number of active accelerators: 1
Number of non-operational accelerators: 0
Input packets: 2437130406
Input bytes: 1644067774
Output packets: 1552581051
Output error packets: 0
Output bytes: 3842269477

[Accelerator 0]
Status: OK
Software crypto engine
Slot: 0
Active time: 27870983 seconds
Total crypto transforms: 76414
Total dropped packets: 0
[Input statistics]
Input packets: 0
Input bytes: 90352
Input hashed packets: 0
Input hashed bytes: 0
Decrypted packets: 0
Decrypted bytes: 90352
[Output statistics]
Output packets: 0
Output bad packets: 0
Output bytes: 855960
Output hashed packets: 0
Output hashed bytes: 0
Encrypted packets: 0
Encrypted bytes: 856168
[Diffie-Hellman statistics]
Keys generated: 88
Secret keys derived: 88
[RSA statistics]
Keys generated: 18
Signatures: 12
Verifications: 154
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[SSL statistics]
Outbound records: 0
Inbound records: 0
[RNG statistics]
Random number requests: 65
Random number request failures: 0

[Accelerator 1]
Status: OK
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
Slot: 1
Active time: 27870994 seconds
Total crypto transforms: 3999919428
Total dropped packets: 0
[Input statistics]
Input packets: 2437154997
Input bytes: 1650444602
Input hashed packets: 2432214299
Input hashed bytes: 3977842788
Decrypted packets: 2437157915
Decrypted bytes: 4197957230
[Output statistics]
Output packets: 1552608542
Output bad packets: 0
Output bytes: 3846165237
Output hashed packets: 1509182817
Output hashed bytes: 2120746672
Encrypted packets: 1552608542
Encrypted bytes: 4188689901
[Diffie-Hellman statistics]
Keys generated: 18173
Secret keys derived: 13654
[RSA statistics]
Keys generated: 0
Signatures: 75
Verifications: 0
Encrypted packets: 75
Encrypted bytes: 1500
Decrypted packets: 0
Decrypted bytes: 0
[SSL statistics]
Outbound records: 43425725
Inbound records: 4940699
[RNG statistics]
Random number requests: 5278935
Random number request failures: 0
fw-01#

fw-04# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(4)1
Device Manager Version 6.2(1)

Compiled on Fri 17-Dec-10 17:02 by builders
System image file is "disk0:/asa824-1-k8.bin"
Config file at boot was "startup-config"

rl-fw-vpn-04 up 8 days 20 hours

Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: GigabitEthernet0/0 : address is 0022.bdd7.556a, irq 9
1: Ext: GigabitEthernet0/1 : address is 0022.bdd7.556b, irq 9
2: Ext: GigabitEthernet0/2 : address is 0022.bdd7.556c, irq 9
3: Ext: GigabitEthernet0/3 : address is 0022.bdd7.556d, irq 9
4: Ext: Management0/0 : address is 0022.bdd7.556e, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Not used : irq 5
7: Ext: GigabitEthernet1/0 : address is d0d0.fd52.afd2, irq 255
8: Ext: GigabitEthernet1/1 : address is d0d0.fd52.afd3, irq 255
9: Ext: GigabitEthernet1/2 : address is d0d0.fd52.afd4, irq 255
10: Ext: GigabitEthernet1/3 : address is d0d0.fd52.afd5, irq 255
11: Int: Internal-Data1/0 : address is 0000.0003.0002, irq 255

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 250
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 5000
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled

This platform has an ASA 5550 VPN Premium license.

Serial Number:
Running Activation Key:
Configuration register is 0x1
Configuration last modified by enable_15 at 07:46:08.322 UTC Sat Feb 26 2011
fw-04#

fw-04# sh cry accelerator statistics

Crypto Accelerator Status
-------------------------
[Capability]
Supports hardware crypto: True
Supports modular hardware crypto: False
Max accelerators: 1
Max crypto throughput: 425 Mbps
Max crypto connections: 5000
[Global Statistics]
Number of active accelerators: 1
Number of non-operational accelerators: 0
Input packets: 1392354738
Input bytes: 835725105018
Output packets: 1269213671
Output error packets: 0
Output bytes: 481930427071

[Accelerator 0]
Status: OK
Software crypto engine
Slot: 0
Active time: 765752 seconds
Total crypto transforms: 38432
Total dropped packets: 0
[Input statistics]
Input packets: 0
Input bytes: 43968
Input hashed packets: 0
Input hashed bytes: 0
Decrypted packets: 0
Decrypted bytes: 43968
[Output statistics]
Output packets: 0
Output bad packets: 0
Output bytes: 433928
Output hashed packets: 0
Output hashed bytes: 0
Encrypted packets: 0
Encrypted bytes: 434136
[Diffie-Hellman statistics]
Keys generated: 75
Secret keys derived: 43
[RSA statistics]
Keys generated: 10
Signatures: 9
Verifications: 0
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[SSL statistics]
Outbound records: 0
Inbound records: 0
[RNG statistics]
Random number requests: 65
Random number request failures: 0
[HMAC statistics]
HMAC requests: 8109

[Accelerator 1]
Status: OK
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
Slot: 1
Active time: 765756 seconds
Total crypto transforms: 2662248856
Total dropped packets: 0
[Input statistics]
Input packets: 1392370877
Input bytes: 835732045306
Input hashed packets: 1392370211
Input hashed bytes: 807943722900
Decrypted packets: 1392372068
Decrypted bytes: 774527345686
[Output statistics]
Output packets: 1269228058
Output bad packets: 0
Output bytes: 481935679813
Output hashed packets: 1124010690
Output hashed bytes: 423227145088
Encrypted packets: 1269228058
Encrypted bytes: 418991081173
[Diffie-Hellman statistics]
Keys generated: 148
Secret keys derived: 52
[RSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[SSL statistics]
Outbound records: 145217368
Inbound records: 668
[RNG statistics]
Random number requests: 625234
Random number request failures: 0
[HMAC statistics]
HMAC requests: 7771
fw-04#

  • Oliver Gorwits

    Those numbers do seem to tie up with the ASA Models Comparison chart over on Cisco.com, but from the CLI you get more info about the hardware implementation and live performance. Thanks for the post!

    http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

  • Martin

    Hi Greg,

    PIXes did have a accelerator module. It’s called VAC (or VAC+)
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080210cd9.html

    So I believe the statement should be – “by default” the old PIX performed crypto on the Intel CPU.

    Martin

  • http://www.slash32.com windexh8er

    While this is a general way to round up capabilities of your platform statistics like:

    Max crypto throughput: 425 Mbps

    …should not be taken literally. There are a number of factors that will influence this number and it should be taken as a best-case-scenario, as in don’t-expect-1Gb-off-a-1Gb-link.

    Things like vpn type (i.e. l2l-vpn, dmvpn, webvpn, svc) and code revisions can directly impact that performance. Keep in mind that newer versions contain newer microcode per VPN technology:

    SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
    IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06

    …so performance will (I’ve measured this) vary between releases – especially when you see these rev numbers change

    The only *true* way to measure your realized performance is to graph tunnel statistics based on what you are doing. This isn’t always feasible for on-demand / dynamic links, however when you’re in preproduction this is the time to baseline your hardware since, as I mentioned, SW revs have been shown to dramatically improve or decrease performance of VPN tunnels. This is, also, the only way you can reliably prove to TAC of problematic releases.

    To sum things up I would say that “sh cry accelerator statistics” does nothing of the sort to “Verify IPsec and SSL Performance” other than to print out a line of what your accelerator has done in a lab under perfect conditions at some point in time.