The ASA Data Sheet can also be a little misleading so read carefully. You will see that Stateful Inspection throughput appears twice for each device. The one you should look at is Multi Protocol and not Max. Max is for UDP traffic only and not TCP packets which nearly every environment uses. You can see the different information at the bottom in the key.
| Cisco ASA Model | ASA 5505 / Security Plus | ASA 5510 / Security Plus | ASA 5512-X / Security Plus | ASA 5515-X |
|---|---|---|---|---|
 |
 |
 |
|
|
| Stateful Inspection throughput (max1) | Up to 150 Mbps | Up to 300 Mbps | 1 Gbps | 1.2 Gbps |
| Stateful Inspection throughput (multiprotocol2) | – | – | 500 Mbps | 600 Mbps |
| Next-Generation throughput3 (multiprotocol) | – | – | 200 Mbps | 350 Mbps |
| IPS throughput4 | Up to 75 Mbps with AIP SSC-5 | Up to 150 Mbps with AIP SSM-10; 300 Mbps with AIP SSM-20 | 250 Mbps (Extra hardware module not required) |
400 Mbps (Extra hardware module not required) |
| Concurrent sessions | 10,000 /25,000 | 50,000 /130,000 | 100,000 | 250,000 |
| Connections per second | 4,000 | 9,000 | 10,000 | 15,000 |
| Packets per second (64 byte) | 85,000 | 190,000 | 450,000 | 500,000 |
| 3DES/AES VPN throughput5 | 100 Mbps | 170 Mbps | 200 Mbps | 250 Mbps |
| Site-to-site and IPsec IKEv1 client VPN user sessions | 25 | 250 | 250 | 250 |
| AnyConnect or clientless VPN user sessions | 25 | 250 | 250 | 250 |
| Cisco Cloud Web Security users | 25 | 75 | 100 | 250 |
| VLANs | 3 (trunking disabled) / 20 (trunking enabled) | 50 / 100 | 50 / 100 | 100 |
| High-availability support6 | Not available | Not available; A/A and A/S | Not available; A/A and A/S | A/A and A/S |
| Integrated I/O | 8-port FE with 2 Power over Ethernet (PoE) ports | 5-port FE / 2-port 10/100/1000, 3-port FE | 6-port 10/100/1000 | 6-port 10/100/1000 |
| Expansion I/O | Not available | 4-port 10/100/1000 or 4-port GE (SFP) | 6-port 10/100/1000 or 6-port GE (SFP) | 6-port 10/100/1000 or 6-port GE (SFP) |
| Dual power supplies | Not available | Not available | Not available | Not available |
| Power | AC/DC | AC/DC | AC/DC | AC/DC |
| Cisco ASA Model | ASA 5520 | ASA 5525-X | ASA 5540 | ASA 5545-X | ASA 5550 | ASA 5555-X |
|---|---|---|---|---|---|---|
| |
|
|
|
 |
|
|
| Stateful Inspection throughput (max1) | 450 Mbps | 2 Gbps | 650 Mbps | 3 Gbps | 1.2 Gbps | 4 Gbps |
| Stateful Inspection throughput (multiprotocol2) | – | 1 Gbps | – | 1.5 Gbps | – | 2 Gbps |
| Next-Generation throughput3 (multiprotocol) | – | 650 Mbps | – | 1 Gbps | – | 1.4 Gbps |
| IPS throughput4 | Up to 225 Mbps with AIP SSM-10; 375 Mbps with AIP SSM-20; 450 Mbps with AIP SSM-40 | 600 Mbps (Extra hardware module not required) |
Up to 500 Mbps with AIP SSM-20; 650 Mbps with AIP SSM-40 | 900 Mbps (Extra hardware module not required) |
Not Available | 1.3 Gbps (Extra hardware module not required) |
| Concurrent sessions | 280,000 | 500,000 | 400,000 | 750,000 | 650,000 | 1,000,000 |
| Connections per second | 12,000 | 20,000 | 25,000 | 30,000 | 33,000 | 50,000 |
| Packets per second (64 byte) | 320,000 | 700,000 | 500,000 | 900,000 | 600,000 | 1,100,000 |
| 3DES/AES VPN throughput5 | 225 Mbps | 300 Mbps | 325 Mbps | 400 Mbps | 425 Mbps | 700 Mbps |
| Site-to-site and IPsec IKEv1 client VPN user sessions | 750 | 750 | 5,000 | 2,500 | 5,000 | 5,000 |
| AnyConnect or clientless VPN user sessions | 750 | 750 | 2,500 | 2,500 | 5,000 | 5,000 |
| Cisco Cloud Web Security users | 300 | 500 | 1,000 | 1,500 | 2,000 | 3,000 |
| VLANs | 150 | 200 | 200 | 300 | 400 | 500 |
| High-availability support6 | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S |
| Integrated I/O | 4-port 10/100/1000 and 1-port FE | 8-port 10/100/1000 | 4-port 10/100/1000 + 1-port FE | 8-port 10/100/1000 | 8-port 10/100/1000 + 1-port FE | 8-port 10/100/1000 |
| Expansion I/O | 4-port 10/100/1000 or 4-port GE (SFP) | 6-port 10/100/1000 or 6-port GE (SFP) | 4-port 10/100/1000 or 4-port GE (SFP) | 6-port 10/100/1000 or 6-port GE (SFP) | None | 6-port 10/100/1000 or 6-port GE (SFP) |
| Dual Power Supplies | Not available | Not available | Not available | Not available | Not available | Yes |
| Power | AC/DC | AC/DC | AC/DC | AC/DC | AC/DC | AC/DC |
| Cisco ASA Model | ASA 5585-X with SSP10 | ASA 5585-X with SSP20 | ASA 5585-X with SSP40 | ASA 5585-X with SSP60 | ASA Services Module |
|---|---|---|---|---|---|
 |
|
|
|
 |
|
| Stateful Inspection throughput (max1) | 4 Gbps | 10 Gbps | 20 Gbps | 40 Gbps | 20 Gbps |
| Stateful Inspection throughput (multiprotocol2) | 2 Gbps | 5 Gbps | 10 Gbps | 20 Gbps | 16 Gbps |
| Next-Generation throughput3 (multiprotocol) | 2 Gbps (with ASA CX SSP-10) |
5 Gbps (with ASA CX SSP-20) |
Not available | Not available | Not available |
| IPS throughput4 (multiprotocol) | 2 Gbps (with IPS SSP-10) |
3 Gbps (with IPS SSP-20) |
5 Gbps (with IPS SSP-40) |
10 Gbps (with IPS SSP-60) |
Not available |
| Concurrent sessions | 1,000,000 | 2,000,000 | 4,000,000 | 10,000,000 | 10,000,000 |
| Connections per second | 50,000 | 125,000 | 200,000 | 350,000 | 300,000 |
| Packets per second (64 byte) | 1,500,000 | 3,000,000 | 5,000,000 | 9,000,000 | 5,000,000 |
| 3DES/AES VPN throughput5 | 1 Gbps | 2 Gbps | 3 Gbps | 5 Gbps | 2 Gbps |
| Site-to-site and IPsec IKEv1 client VPN user sessions | 5,000 | 10,000 | 10,000 | 10,000 | 10,000 |
| AnyConnect or clientless VPN user sessions | 5,000 | 10,000 | 10,000 | 10,000 | 10,000 |
| Cisco Cloud Web Security users | 7,500 | 7,500 | 7,500 | 7,500 | 7,500 |
| Integtrated I/O | 8-port 10/100/1000 and 2-port 10 GE (SFP+)6 | 8-port 10/100/1000 and 2-port 10 GE (SFP+)6 | 6-port 10/100/1000 and 4-port 10 GE (SFP+) | 6-port 10/100/1000 and 4-port 10 GE (SFP+) | Provided by the switch or router |
| Expansion I/O7 | 8-port 10 GE(SFP/SFP+) or 4-port 10 GE(SFP/SFP+) or 20-port 1 GE (12-port 1 GE SFP and 8-port 10/100/100) |
Provided by the switch or router | |||
| Dual power supplies | Yes | Yes | Yes | Yes | Yes. Provided by the switch or router |
| VLANs | 1,024 | 1,024 | 1,024 | 1,024 | 1,000 |
| High-availability support8 | 1,024 | 1,024 | 1,024 | 1,024 | 1,000 |
| Power | AC | AC | AC | AC | AC/DC provided by the switch or router |
1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3Throughput was measured using ASA CX Software Release 9.1.1 with multi-protocol traffic profile with both Application Visibility Control (AVC) and Web Security Essentials (WSE). Traffic logging was enabled as well.
4 Firewall traffic that does not go through IPS SSP module can have higher throughput.
5 VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.
6 Requires a separate license
7 Half-width modules
8 A/A = Active/Active; A/S = Active/Standby
This data was pulled from the following Cisco Article
0 Comments