Last month I ran some performance tests over a Cisco ASA 5550 using iperf. There were some performance issues when the ASA was hit with a lot of simultaneous requests. The ASA 5550 is a powerful device so I did not expect any performance problems with 2000 concurrent requests. Our stresstests reported connection problems when the number of concurrent requests increased above 2000 while traffic was way below the maximum supported throughput. To check the wirespeed performance of the ASA I decided to run an iperf test. This test showed expected bandwidth results, but a lower MTU (1408), while all intermediate components are configured at 1500.

Some investigation showed that this was caused by a default maximum MSS setting in the ASA. It appears that the ASA has a default max MSS of 1380. This is set by the command:

sysopt connection tcp-mss MSS_size_in_bytes

The default is 1380 to prevent fragmentation on possible IPSec connections in the path.

To get to MTU 1500 the ASA needs to support an MSS of 1460. This is configured with the following command:

sysopt connection tcp-mss 1460

More information can be found here:

While migrating the authentication of our ASA firewalls to tacacs, we enabled ‘enable’ authentication to tacacs and tried to switch to enable mode on the console. This did not work, and caused the following message in the tacacs log file:

Wed Jan 13 17:07:42 2010 [25444]: enable query for 'username' 13 from 10.x.x.x rejected

To fix this problem the tacacs configuration for the user needs to include the enable password in the profile, as shown below:

user = username {
login = des "XXXXXXX"
member = admin
acl = mgmt_devices
service = shell {
priv-lvl = 15
enable = des "XXXXXXX"

We use the following configuration on the ASA to enable AAA to tacacs.

aaa-server tacacs protocol tacacs+
aaa-server tacacs (outside) host
aaa-server tacacs (outside) host
aaa authentication ssh console tacacs LOCAL
aaa authentication telnet console tacacs LOCAL
aaa authentication serial console tacacs LOCAL
aaa authentication enable console tacacs LOCAL
aaa authentication http console tacacs LOCAL
aaa authorization command tacacs LOCAL

Due to the shortage of IPv4 IP addresses, we will run out of IPv4 some day in the near future (approx. 699 days from now, To be prepared for this we are experimenting with IPv6. We got a /32 allocated by RIPE, and are currently preparing a live network to connect some services via native  IPv6 to the internet. While reviewing the IPv6 capabilities of the network equipment we use, I found out that Cisco ASA/Pix does not support failover when running IPv6. For details on this matter please see the following links:


This failover support seems to be lacking for some time now, and is still missing in the latest release. I’ve notified our sales rep. at Cisco about this. Personally I think this is quite a serious issue, as failover is a essential part of building serious infrastructures. I hope Cisco will see that this feature should be implemented as soon as possible.

If you consider this a serious issue as well, I recommend you notify your Cisco contact. Also leave a comment, just because I’m wondering how many people think this is a problem 🙂

06 april 2010: Cisco released ASA version 8.3 which solves this problem: