Guidelines and Limitations
You can create and deploy multiple instances of the ASA virtual on an ESXi server. The specific hardware used for ASA virtual deployments can vary, depending on the number of instances deployed and usage requirements. Each virtual appliance you create requires a minimum resource allocation—memory, number of CPUs, and disk space—on the host machine.
Important |
The ASA virtual deploys with a disk storage size of 8GB. It is not possible to change the resource allocation of the disk space. |
Review the following guidelines and limitations before you deploy the ASA virtual.
ASA Virtual on VMware ESXi System Requirements
Make sure to conform to the specifications below to ensure optimal performance. The ASA virtualASA virtual has the following requirements:
-
The host CPU must be a server class x86-based Intel or AMD CPU with virtualization extension.
For example, ASA virtual performance test labs use as minimum the following: Cisco Unified Computing System™ (Cisco UCS®) C series M4 server with the Intel® Xeon® CPU E5-2690v4 processors running at 2.6GHz.
-
ASA virtual supports ESXi version 6.0, 6.5, 6.7, 7.0, 7.0 Upgrade 1, 7.0 Upgrade 2, 7.0 Upgrade 3, and 8.0.
Recommended vNICs
The following vNICs are recommended in order of optimum performance.
-
i40e in PCI passthrough—Dedicates the server's physical NIC to the VM and transfers packet data between the NIC and the VM via DMA (Direct Memory Access). No CPU cycles are required for moving packets.
-
i40evf/ixgbe-vf—Effectively the same as above (DMAs packets between the NIC and the VM) but allows the NIC to be shared across multiple VMs. SR-IOV is generally preferred because it has more deployment flexibility. See Guidelines and Limitations
-
vmxnet3—This is a para-virtualized network driver that supports 10Gbps operation but also requires CPU cycles. This is the VMware default.
When using vmxnet3, you need to disable Large Receive Offload (LRO) to avoid poor TCP performance.
Performance Optimizations
To achieve the best performance out of the ASA virtual, you can make adjustments to the both the VM and the host. See Performance Tuning for more information.
-
NUMA—You can improve performance of the ASA virtual by isolating the CPU resources of the guest VM to a single non-uniform memory access (NUMA) node. See NUMA Guidelines for more information.
-
Receive Side Scaling—The ASA virtual supports Receive Side Scaling (RSS), which is a technology utilized by network adapters to distribute network receive traffic to multiple processor cores. Supported on Version 9.13(1) and later. See Multiple RX Queues for Receive Side Scaling (RSS) for more information.
-
VPN Optimization—See VPN Optimization for additional considerations for optimizing VPN performance with the ASA virtual.
Clustering
Starting from version 9.17, clustering is supported on ASA virtual instances deployed on VMware. See ASA Cluster for the ASAv for more information.
OVF File Guidelines
The selection of the asav-vi.ovf or asav-esxi.ovf file is based on the deployment target:
-
asav-vi—For deployment on vCenter
-
asav-esxi—For deployment on ESXi (no vCenter)
-
The ASA virtual OVF deployment does not support localization (installing the components in non-English mode). Be sure that the VMware vCenter and the LDAP servers in your environment are installed in an ASCII-compatible mode.
-
You must set your keyboard to United States English before installing the ASA virtual and for using the VM console.
-
When the ASA virtual is deployed, two different ISO images are mounted on the ESXi hypervisor:
-
The first drive mounted has the OVF environment variables generated by vSphere.
-
The second drive mounted is the day0.iso.
Attention
You can unmount both drives after the ASA virtual machine has booted. However, Drive 1 (with the OVF environment variables) will always be mounted every time the ASA virtual is powered off/on, even if Connect at Power On is unchecked.
-
The Export OVF Template in vSphere helps you export an existing ASA virtual instance package as an OVF template. You can use an exported OVF template for deploying the ASA virtual instance in the same or different environment. Before deploying the ASA virtual instance using an exported OVF template on vSphere, you must modify the configuration details in the OVF file to prevent deployment failure.
To modify the exported OVF file of ASA virtual.
-
Log in to the local machine where you have exported the OVF template.
-
Browse and open the OVF file in a text editor.
-
Ensure that the tag
<vmw:ExtraConfig vmw:key="monitor_control.pseudo_perfctr" vmw:value="TRUE"></vmw:ExtraConfig>
is present. -
Delete the tag
<rasd:ResourceSubType>vmware.cdrom.iso</rasd:ResourceSubType>
.Or
Replace the tag
<rasd:ResourceSubType>vmware.cdrom.iso</rasd:ResourceSubType>
with<rasd:ResourceSubType>vmware.cdrom.remotepassthrough</rasd:ResourceSubType>
.See the Deploying an OVF fails on vCenter Server 5.1/5.5 when VMware tools are installed (2034422) published by VMware for more information.
-
Enter the property values for
UserPrivilege
,OvfDeployment
, andControllerType
.For example: - <Property ovf:qualifiers="ValueMap{"ovf", "ignore", "installer"}" ovf:type="string" ovf:key="OvfDeployment"> + <Property ovf:qualifiers="ValueMap{"ovf", "ignore", "installer"}" ovf:type="string" ovf:key="OvfDeployment" ovf:value="ovf"> - <Property ovf:type="string" ovf:key="ControllerType"> + <Property ovf:type="string" ovf:key="ControllerType" ovf:value="ASAv"> - <Property ovf:qualifiers="MinValue(0) MaxValue(255)" ovf:type="uint8" ovf:key="UserPrivilege"> + <Property ovf:qualifiers="MinValue(0) MaxValue(255)" ovf:type="uint8" ovf:key="UserPrivilege" ovf:value="15">
-
Save the OVF file.
-
Deploy the ASA virtual using the OVF template. See, Deploy the ASA virtual Using the VMware vSphere Web Client.
Failover for High Availability Guidelines
For failover deployments, make sure that the standby unit has the same license entitlement; for example, both units should have the 2Gbps entitlement.
Important |
When creating a high availability pair using ASA virtual, it is necessary to add the data interfaces to each ASA virtual in the same order. If the exact same interfaces are added to each ASA virtual, but in different order, errors may be presented at the ASA virtual console. Failover functionality may also be affected. |
For the ESX port group used for ASA virtual Inside interface or ASA virtual failover high availability link, configure the ESX port group failover order with two virtual NICs – one as active uplink and the other as standby uplink. This is necessary for the two VMs to ping each other or ASA virtual high availability link to be up.
IPv6 Guidelines
You cannot specify IPv6 addresses for the management interface when you first deploy the ASA virtual OVF file using the VMware vSphere Web Client; you can later add IPv6 addressing using ASDM or the CLI.
vMotion Guidelines
-
VMware requires that you only use shared storage if you plan to use vMotion. During ASA virtual deployment, if you have a host cluster you can either provision storage locally (on a specific host) or on a shared host. However, if you try to vMotion the ASA virtual to another host, using local storage will produce an error.
Memory and vCPU Allocation for Throughput and Licensing
-
The memory allocated to the ASA virtual is sized specifically for the throughput level. Do not change the memory setting or any vCPU hardware settings in the Edit Settings dialog box unless you are requesting a license for a different throughput level. Under-provisioning can affect performance.
Note
If you need to change the memory or vCPU hardware settings, use only the values documented in Licensing for the ASA Virtual. Do not use the VMware-recommended memory configuration minimum, default, and maximum values.
CPU Reservation
-
By default the CPU reservation for the ASA virtual is 1000 MHz. You can change the amount of CPU resources allocated to the ASA virtual by using the shares, reservations, and limits settings (Edit Settings > Resources > CPU). Lowering the CPU Reservation setting from 1000 Mhz can be done if the ASA virtual can perform its required purpose while under the required traffic load with the lower setting. The amount of CPU used by an ASA virtual depends on the hardware platform it is running on as well as the type and amount of work it is doing.
You can view the host’s perspective of CPU usage for all of your virtual machines from the CPU Usage (MHz) chart, located in the Home view of the Virtual Machine Performance tab. Once you establish a benchmark for CPU usage when the ASA virtual is handling typical traffic volume, you can use that information as input when adjusting the CPU reservation.
See the CPU Performance Enhancement Advice published by VMware for more information.
-
You can use the ASA virtual show vm and show cpu commands or the ASDM tab or the pane to view the resource allocation and any resources that are over- or under-provisioned.
-
Starting from ASA Virtual Version 9.16.x, when you are downgrading from ASAv100, whose device configuration is 16 vCPU and 32GB RAM, to ASAv10, then you must configure the device with 1 vCPU and 4GB RAM.
Transparent Mode on UCS B Series Hardware Guidelines
MAC flaps have been observed in some ASA virtual configurations running in transparent mode on Cisco UCS B Series hardware. When MAC addresses appear from different locations you will get dropped packets.
The following guidelines help prevent MAC flaps when you deploy the ASA virtual in transparent mode in VMware environments:
-
VMware NIC teaming—If deploying the ASA virtual in transparent mode on UCS B Series, the Port Groups used for the Inside and Outside interfaces must have only 1 Active Uplink, and that uplink must be the same. You configure VMware NIC teaming in vCenter.
See the VMware documentation for complete information on how to configure NIC teaming.
-
ARP inspection—Enable ARP inspection on the ASA virtual and statically configure the MAC and ARP entry on the interface you expect to receive it on. See the Cisco Secure Firewall ASA Series General Operations Configuration Guide for information about ARP inspection and how to enable it.
Additional Guidelines and Limitations
-
The ASA Virtual boots without the two CD/DVD IDE drives if you are running ESXi 6.7, vCenter 6.7, ASA Virtual 9.12 and above.
-
The vSphere Web Client is not supported for ASA virtual OVF deployment; use the vSphere client instead.
IPsec Flow Offload Using Vector Packet Processing
You can identify and select traffic to be offloaded to a super-fast path, where the flow is switched in the NIC itself. Offloading can help you improve performance for data-intensive applications such as large file transfers. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections can offloaded to the Vector Packet Processing (VPP) in the ASA Virtual devices.
Note |
IPsec flow offload is enabled by default, and applies to device - ASAv100. |
VPP, an open-source application developed by Cisco, is used for IPsec offload to perform IPsec cryptographic operations.
Enabling the IPsec offload feature on the ASA Virtual can help:
-
Improve device performance and free up CPU resources to handle other important tasks.
-
Enhance the aggregate throughput performance for IPsec connections.
-
Improve the single connection performance for IPsec, also known as the elephant flow.
This feature is disabled by default on platforms that support it.
Limitations
The following IPsec flows are not offloaded:
-
IKEv1 tunnels. Only IKEv2, ESP, and NAT-T will be offloaded automatically after enabling on ASAv100. IKEv2 supports stronger ciphers.
-
Flows that have compression configured.
-
Flows that have compression configured.
-
Transport mode flows. Only tunnel mode flows will be offloaded.
-
Flows that have post-fragmentation configured.
-
Flows that have anti-replay Window size other than 64bit and anti-replay are not disabled.
-
Flows that have anti-replay window size other than 64bit and anti-replay is not disabled.
-
Flows that have firewall filter enabled.
-
Multi-context