3

What is the typical latency added when using a Cisco firewall such as ASA 5505? Are we talking less than 50 microseconds?

DD.
  • 3,114
  • 11
  • 35
  • 50

2 Answers2

5

The high-end Cisco ASA 5580 series has a published spec of 30μs latency as a selling point for ultra low-latency environments. The entry-level ASA 5505 would not be close to that level. I'd assume that 50μs is out of reach for the 5505.

ewwhite
  • 197,159
  • 92
  • 443
  • 809
3

I'm seeing about 3ms - 4ms between my web servers and my database servers for the TCP connection ( SYN -> SYN/ACK -> ACK ) traveling through an ASA 5510.

So yes, less than 50ms.

I don't know if the ASA 5505 is comparable.

For comparison, three TCP connections between two hosts on the same network that didn't travel through the ASA 5510 took 256μs when averaged. (Same methodology as the first measurement.)

Ladadadada
  • 26,337
  • 7
  • 59
  • 90
  • 1
    Are you measuring in milliseconds or microseconds? – ewwhite May 15 '12 at 14:43
  • 1
    @Ladadadada: Any chance you could show us your methodology for measuring this? I think that will be more useful in the long run to the world at whole than just the one sample.. – Kyle Brandt May 15 '12 at 14:44
  • ms is not microseconds - you're measuring milliseconds there. 1ms (millisecond) is equal to 1000 µs (microseconds). – Dan May 15 '12 at 14:45
  • I have an ASA 5505 and I see about 5 - 8 ms in the same metric @Ladadadada is describing. – tacos_tacos_tacos May 15 '12 at 14:47
  • ms is milliseconds. μs is microseconds. I'm talking about milliseconds here. My methodology was to fire up `tcpdump` and subtract the timestamp of the first packet *after* the three-way handshake from the timestamp of the first `SYN`. I did this for three connections and averaged them. (Hardly statistically significant, I know, but they were all very close to the same value.) – Ladadadada May 15 '12 at 14:51
  • Obviously, that's also not measuring the latency of just the ASA 5510 but also everything else in the connection, including the load averages of both boxes. It would be a valid answer when the question says "milliseconds" because it's significantly lower than 50, but it doesn't mean much when the question says "microseconds". – Ladadadada May 15 '12 at 15:06
  • 5-8ms is no way correct...thats absolutely huge. I already have ping times with external servers of less than 1ms. – DD. May 15 '12 at 19:16
  • ICMP packets are not directly comparable to TCP handshakes. There are also a lot of rules in this ASA which will increase the latency (how much? No idea) But I assure you that 3 - 4 ms is what I measured with the above method. – Ladadadada May 15 '12 at 19:26