在 Cisco ASA 5506-X 上未获得预期的吞吐量

Question

I have a Cisco ASA 5506-X running version 9.9(2). I recently upgraded my inte.net to gigabit speeds (in reality about 750 - 850 Mbps). However, my ASA was only allowing throughput of about 200Mbps. I thought that the ASA would allow throughput up to 750Mbps.

Troubleshooting steps:

1. Reset ASA and setup basic config.
2. Tested inte.net speed and received somewhere near 200Mbps.
3. Disabled FirePower service and tested speed again to get near 300Mbps
4. Connected PC directly to cable modem and was able to get speeds of 800Mbps - 850Mbps (three attempts).
5. Re-connected ASA and still get only 300Mbps (maybe 310).

Can you help me figure out why I'm not getting better throughput?

Show Version:

Cisco Adaptive Security Appliance Software Version 9.9(2)36
Firepower Extensible Operating System Version 2.3(1.122)
Device Manager Version 7.16(1)150

Compiled on Wed 12-Dec-18 16:53 PST by builders
System image file is "disk0:/asa992-36-lfbff-k8.SPA"
Config file at boot was "startup-config"

ciscoasa up 16 secs

Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Number of accelerators: 1

 1: Ext: GigabitEthernet1/1  : address is b0c5.3cfa.25d8, irq 255
 2: Ext: GigabitEthernet1/2  : address is b0c5.3cfa.25d9, irq 255
 3: Ext: GigabitEthernet1/3  : address is b0c5.3cfa.25da, irq 255
 4: Ext: GigabitEthernet1/4  : address is b0c5.3cfa.25db, irq 255
 5: Ext: GigabitEthernet1/5  : address is b0c5.3cfa.25dc, irq 255
 6: Ext: GigabitEthernet1/6  : address is b0c5.3cfa.25dd, irq 255
 7: Ext: GigabitEthernet1/7  : address is b0c5.3cfa.25de, irq 255
 8: Ext: GigabitEthernet1/8  : address is b0c5.3cfa.25df, irq 255
 9: Int: Internal-Data1/1    : address is b0c5.3cfa.25d7, irq 255
10: Int: Internal-Data1/2    : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3    : address is 0000.0001.0003, irq 0
13: Ext: Management1/1       : address is b0c5.3cfa.25d7, irq 0
14: Int: Internal-Data1/4    : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 30             perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Standby perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 4              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 50             perpetual
Total VPN Peers                   : 50             perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 160            perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5506 Security Plus license.

Serial Number: JXXXXXXXXXX
Running Permanent Activation Key: 0x1A1A1A1A 0x2B2B2B2B 0x3C3C3C3C 0x4D4D4D4D 0x5E5E5E5E
Configuration register is 0x1
Image type                : Release
Key Version               : A
Configuration has not been modified since last system restart.

Config

ASA Version 9.9(2)36
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxxxxxxxxxx pbkdf2
passwd xxxxxxxxxxxx. encrypted
names

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 172.16.254.1 255.255.255.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list INBOUND extended permit icmp any any echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
nat (inside,outside) after-auto source dynamic any interface
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 172.16.254.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns <my ISP DNS server 1> <my ISP DNS server 2>
dhcpd option 3 ip 172.16.254.1
!
dhcpd address 172.16.254.33-172.16.254.221 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username myuser password xxxxxxxxxxxx pbkdf2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7bf6464dd03896f00321926e98426397

Answer 1

what is the CPU usage? also post here show interface gi1/1

Also try configuring manually on outside duplex full and speed auto or speed 1000 but before doing that post the stats of the outside interface first