Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Adaptive Security Virtual Appliance (ASAv) Data Sheet

Data Sheet

Available Languages

Download Options

  • PDF
    (618.8 KB)
    View with Adobe Reader on a variety of devices
Updated:January 21, 2021

Available Languages

Download Options

  • PDF
    (618.8 KB)
    View with Adobe Reader on a variety of devices
Updated:January 21, 2021

Table of Contents

 

 

Today, businesses rely on a mixture of physical and virtual solutions to meet their network security needs. They need the flexibility to deploy different physical and virtual firewalls across a wide range of environments while still maintaining consistent policy throughout branch offices, corporate data centers, and all entry points between. From data center consolidation to office relocations, M&A scenarios, or seasonal peaks in demand on your applications—Cisco’s virtual firewall portfolio helps businesses simplify security management with the convenience of unified policy and the flexibility to deploy everywhere.

With the Cisco® Adaptive Security Virtual Appliance (ASAv), you have the flexibility to choose the performance you need for your business. ASAv is the virtualized option of our popular ASA solution and offers security in traditional physical data centers and private and public clouds. Its scalable VPN capability provides access for employees, partners, and suppliers—and protects your workloads against increasingly complex threats with world-class security controls.

Product overview

The ASAv is a firewall with powerful VPN capabilities. It supports site-to-site VPN, remote-access VPN, and clientless VPN functionalities. Consistent policy simplifies management across your virtual and physical ASAs. Cisco Smart Software Licensing makes it easy to deploy, manage, and track virtual instances of the appliance running in your private cloud or in a public cloud.

Product overview

Benefits

VPN head-end

Cisco AnyConnect® client empowers employees to work from home (or anywhere) on any device at any time, securely. Give any user highly secure access to your enterprise network and provide visibility and control to your IT and security teams to identify who and which devices are accessing the infrastructure. Alleviate strain on your IT and security teams as they support offsite workers and personal devices. ASAv supports site-to-site VPN for connecting your data centers.

License portability across clouds

Deploy ASAv everywhere—from your corporate data center to your branch office, to a public cloud—with the portability of one license across public or private clouds (VMware, KVM and Hyper-V, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI) and government clouds). Expand, contract, or relocate workloads over time and span private and public cloud infrastructures with one license.

Low-touch deployment

Rapidly deploy additional ASAvs to support unplanned or seasonal surges on your applications or VPN. Add more bandwidth or protection for remote offices by spinning up a new VM. Choose from higher-performance model options if you need more protection.

Smart Software Licensing

Cisco Smart Software Licensing makes it easier to buy, deploy, track, and renew Cisco licenses. We have moved away from Product Activation Key (PAK)-based licensing to a model that supports more flexibility and visibility. You will enjoy:

      Simpler purchase and activation of the virtual appliance

      Easier license management and reporting of virtual appliances due to license pooling

      Automatic license activation when the virtual appliance is provisioned

Customers, select partners, and Cisco can view product entitlements and services in the Cisco Smart Software Manager. Configuration and activation are done with a single token. The ASAv will self-register with a Cisco server in the cloud, eliminating the need to register products with PAKs. Instead of using PAKs or license files, Smart Software Licensing establishes a pool of software licenses or entitlements that can be used across your business. When a virtual appliance is instantiated on a customer’s premises, an entitlement is subtracted from the pool. When a virtual appliance is decommissioned, or when it is deinstantiated within the Smart Software Manager, an entitlement is added to the pool.

With the Smart Software Manager, you can manage license deployments throughout your organization easily and quickly. You can also manage multiple products from Cisco that support Smart Software Licensing.

The ASAv uses Smart Software Licensing exclusively. Older forms of licensing are not supported.

Any ASAv license can be used on any supported ASAv vCPU/memory configuration. This allows ASAv customers to run on a wide variety of VM resource footprints. This also increases the number of supported AWS, Azure, GCP and OCI instances types. When configuring the ASAv VM, the maximum supported number of vCPUs is 16 and the maximum supported memory is 128GB RAM.

Table 1.        Specifications for 9.14.1.6 and later- ESXi/KVM

Feature

Entitlement support: Standard tier

 

100M (ASAv5)

1G (ASAv10)

2G (ASAv30)

10G (ASAv50)

20G (ASAv100)

Stateful inspection throughput (maximum)[1]

100 Mbps

1 Gbps

2 Gbps

10 Gbps

20 Gbps

Stateful inspection throughput (multiprotocol)[2]

50 Mbps

500 Mbps

1 Gbps

5 Gbps

10 Gbps

IPsec VPN throughput (AES 450B UDP test)[3]

30 Mbps

750 Mbps

2 Gbps

4 Gbps

8 Gbps

Connections per second

8000

20,000

60,000

120,000

250,000

Concurrent sessions

50,000

100,000

500,000

2,000,000

4,000,000

VLANs

25

50

200

1024

1024

Bridge groups

12

25

100

250

250

IPsec VPN peers

50

250

750

10,000

20,000

Cisco AnyConnect or clientless VPN user sessions

50

250

750

10,000

20,000

Virtual CPU core allocation[4]

1

2

4

8

16

Memory allocation4

2GB

4GB

8GB

16GB

32GB

Disk storage[5]

8GB

8GB

8GB

8GB

8GB

Note:     This data is from testing on the Cisco Unified Computing System (Cisco UCS®) C series M5 server with the Intel® Xeon® Gold 6254 processors running SR-IOV on Intel X520/X710. Stated virtual CPU core allocation assumes dedicated physical cores with Hyper Threading disabled. Each performance number above was obtained while running only the associated test.

Table 2.        Specifications for 9.15 and later- AWS

AWS Performance

License Type

100M (ASAv5)

1G (ASAv10)

2G (ASAv30)

10G (ASAv50)

20G (ASAv100)

AWS Instance Type

c5.large

c5.large

c5.xlarge

c5.2xlarge

c5n.4xlarge

Stateful inspection throughput (maximum)6

100 Mbps

1 Gbps

2 Gbps

10 Gbps

16 Gbps

Stateful inspection throughput (multiprotocol)7

100 Mbps

1 Gbps

2 Gbps

4.6 Gbps

8 Gbps

IPsec VPN throughput (AES 450B UDP test)8

100 Mbps

1 Gbps

2.0 Gbps

3.7 Gbps

5.8 Gbps

Connections per second

60,000

62,000

90,000

120,000

200,000

Concurrent sessions

50,000

100,000

500,000

2,000,000

4,000,000

IPsec VPN peers

50

250

750

10,000

20,000

Cisco AnyConnect or clientless VPN user sessions

50

250

750

10,000

20,000

Table 3.        Specifications for 9.15 and later- Azure

Azure Performance*

License Type

100M (ASAv5)

1G (ASAv10)

2G (ASAv30)

10G (ASAv50)

20G (ASAv100)

Azure VM Type

D3_v2

D3_v2

D3_v2

D4_v2

D5_v2

Stateful inspection throughput (maximum)6

100 Mbps

1 Gbps

2 Gbps

2 Gbps

2.5 Gbps

Stateful inspection throughput (multiprotocol)7

100 Mbps

1 Gbps

1 Gbps

1.6 Gbps

2.5 Gbps

IPsec VPN throughput (AES 450B UDP test)8

100 Mbps

772 Mbps

772 Mbps

3.3 Gbps

6.7 Gbps

Connections per second

10,000

10,000

10,000

10,000

10,000

Concurrent sessions

50,000

100,000

500,000

2,000,000

4,000,000

IPsec VPN peers

50

250

750

10,000

20,000

Cisco AnyConnect or clientless VPN user sessions

50

250

750

10,000

20,000

* - Measured on instances with Accelerated Networking(AN) enabled.

Table 4.        Specifications for 9.15 and later- GCP

GCP Performance

License Type

100M (ASAv5)

1G (ASAv10)

2G (ASAv30)

10G (ASAv50)

20G (ASAv100)

GCP Machine Type

c2-standard-4

c2-standard-4

c2-standard-4

c2-standard-8

c2-standard-16

Stateful inspection throughput (maximum)6

100 Mbps

1 Gbps

2 Gbps

7.6 Gbps

16 Gbps

Stateful inspection throughput (multiprotocol)7

100 Mbps

1 Gbps

2 Gbps

7.2 Gbps

12 Gbps

IPsec VPN throughput (AES 450B UDP test)8

100 Mbps

1 Gbps

2 Gbps

3.3 Gbps

7.2 Gbps

Connections per second

48,000

48,000

60,000

82,000

160,000

Concurrent sessions

50,000

100,000

500,000

2,000,000

4,000,000

IPsec VPN peers

50

250

750

10,000

20,000

Cisco AnyConnect or clientless VPN user sessions

50

250

750

10,000

20,000

Table 5.        Specifications for 9.15 and later- OCI

OCI Performance

License Type

100M (ASAv5)

1G (ASAv10)

2G (ASAv30)

10G (ASAv50)

20G (ASAv100)

OCI Shape Type

VM.Standard2.4

VM.Standard2.4

VM.Standard2.4

VM.Standard2.8

VM.Standard2.8

Stateful inspection throughput (maximum)[6]

100 Mbps

1 Gbps

2 Gbps

Coming soon

 Coming soon

Stateful inspection throughput (multiprotocol)[7]

100 Mbps

1 Gbps

2 Gbps

2.3 Gbps

3 Gbps

IPsec VPN throughput (AES 450B UDP test)[8]

100 Mbps

550 Mbps

550 Mbps

550 Mbps

623 Mbps

Connections per second

26,600

26,600

26,600

26,600

38,200

Concurrent sessions

50,000

100,000

500,000

2,000,000

4,000,000

Ipsec VPN peers

50

250

750

10,000

20,000

Cisco AnyConnect or clientless VPN user sessions

50

250

750

10,000

20,000

Table 6.        ASAv models and recommended public cloud instance types

Standard tier

100M (ASAv5)

1G (ASAv10)*

2G (ASAv30)*

10G (ASAv50)*

20G (ASAv100)*

Comments

Recommended AWS instance types

c5.large

c4.large

c3.large

m4.large

c5.large

c4.large

c3.large

m4.large

c5.xlarge

c3.xlarge

m4.xlarge

c4.xlarge

c5.2xlarge

c4.2xlarge

c3.2xlarge

m4.2xlarge

c5.4xlarge

c5n.4xlarge

Smallest supported instance type is large, which supports maximum throughput/limits of 1G entitlement. Auto Scale is supported

Recommended Azure VM types

F4, F4s

D3, D3_v2,

DS3, DS3_v2

F4, F4s

D3, D3_v2,

DS3, DS3_v2

F4, F4s

D3, D3_v2,

DS3, DS3_v2

F8, F8s

D8_v3

D4, D4_v2, DS4,

DS4_v2

F16, F16s

 

D5, D5_v2, D16_v3, DS5, DS5_v2

(Version 9.15 and above only)

Smallest supported instance size is F4/F4s, and supports max throughput/limits of 2G entitlement. Auto Scale is supported. Accelerated Networking is supported.

Recommended GCP machine types

(Version 9.15 and above only)

c2-standard-4

c2-standard-4

c2-standard-4

c2-standard-8

c2-standard-16

Smallest supported instance size is c2-standard-4, and supports max throughput/limits of 2G entitlement

Recommended OCI shape types

(Version 9.15 and above only)

VM.Standard2.4

VM.Standard2.4

VM.Standard2.4

VM.Standard2.8

VM.Standard2.8

Smallest supported instance size is VM.standard2.4, and supports max throughput/limits of 2G entitlement

* The recommended instances for higher entitlement can be used for lower entitlement as well.

Table 7.        Hypervisor and public cloud constraints

Feature

Vmware

KVM

Hyper-V

AWS

Azure

GCP

OCI

Hypervisor support

ESXi 6.0, 6.5, 6.7

Yes

Yes
(Windows Server 2012-R2)

AWS, AWS Gov

Marketplace, AWS China (see VM instances supported in Table 9)

Azure, Azure Gov

Marketplace, Azure China (see VM instances supported in Table 10)

GCP

(see VM instances supported in Table 11)

OCI

(see VM instances supported in Table 12)

High availability

Stateful active/standby

 

No

Statelessactive/standby

No

No

Modes

Routed and transparent

 

Routed only

Routed only

Routed only

Routed only

Table 8.        Maximum Cisco AnyConnect user sessions

RAM (GB)

Entitlement support

MIN

MAX

100M (ASAv5)

1G (ASAv10)*

2G (ASAv30)*

10G (ASAv50)*

20G (ASAv100)*

2

<8

50

250

250

250

250

8

<16

50

250

750

750

750

16

<32

50

250

750

10K

10K

32

No max

50

250

750

10K

20K

Table 9.        AWS instance support

Instance

Attributes

vCPUs

Memory (GB)

C5.large*

2

4

C5.xlarge*

4

8

C5.2xlarge*

8

16

C5.4xlarge**

16

32

C5n.large**

2

5.25

C5n.xlarge**

4

10.5

C5n.2xlarge**

8

21

C5n.4xlarge**

16

42

C4.large

2

3.75

C4.xlarge

4

7.5

C4.2xlarge*

8

15

C3.large

2

3.75

C3.xlarge

4

7.5

C3.2xlarge*

8

15

m4.large

2

8

m4.xlarge

4

16

m4.2xlarge*

8

32

* Requires 9.13 and later.
** Requires 9.14.1.10 and later

Table 10.     Azure instance support

Instance

Attributes

vCPUs

Memory (GB)

D3, D3_v2, DS3*, DS3_v2*

4

14

D4*, D4_v2*, DS4*, DS4_v2*

8

28

D5, DS5, D5_v2, DS5_v2**

16

56

D8_v3*

8

32

D16_v3**

16

64

F4*, F4s*

4

8

F8*, F8s*

8

16

F16, F16s**

16

32

* Requires 9.13 and later.
** Requires 9.15 and later

Table 11.     GCP instance support*

Instance

Attributes

OCPU’s

Memory (GB)

n1-standard-4

4

15

c2-standard-4

n2-standard-4

4

16

n2-highmem-4

4

32

c2-standard-8

n2-standard-8

8

32

n1-standard-8

8

30

n1-highcpu-8

8

7.2

n2-highcpu-8

8

8

n2-highmem-8

8

64

c2-standard-16

n2-standard-16

16

64

n1-standard-16

16

60

n1-highcpu-16

16

14.4

n2-highcpu-16

16

16

n2-highmem-16

16

128

* Requires 9.15 and later

Table 12.     OCI instance support*

Instance

Attributes

vCPUs

Memory (GB)

VM.Standard2.4

4

60

VM.Standard2.8

8

120

* Requires 9.15 and later

Table 13.     Ordering information: In Cisco Commerce Workspace (CCW) order the base selection (denoted by “K9” in the part number), followed by the desired license type

Part number

Description

L-ASAV5S-K9=

Cisco 100 Mbps entitlement (ASAv5) selection(Perpetual License)

L-ASA-V-5S-K9=

Cisco 100 Mbps entitlement (ASAv5) subscription

L-ASAV10S-K9=

Cisco 1 Gbps entitlement (ASAv10) selection(Perpetual License)

L-ASA-V-10S-K9=

Cisco 1 Gbps entitlement (ASAv10) subscription

L-ASAV30S-K9=

Cisco 2 Gbps entitlement (ASAv30) selection(Perpetual License)

L-ASA-V-30S-K9=

Cisco 2 Gbps entitlement (ASAv30) subscription

L-ASAV50S-K9=

Cisco 10 Gbps entitlement (ASAv50) selection(Perpetual License)

L-ASA-V-50S-K9=

Cisco 10 Gbps entitlement (ASAv50) subscription

L-ASA-V-100S-K9=

Cisco 20 Gbps entitlement (ASAv100) subscription*

*No Perpetual license option for ASAv100

Cisco environmental sustainability

Information about Cisco’s environmental sustainability policies and initiatives for our products, solutions, operations, and extended operations or supply chain is provided in the “Environment Sustainability” section of Cisco’s Corporate Social Responsibility (CSR) Report.

Reference links to information about key environmental sustainability topics (mentioned in the “Environment Sustainability” section of the CSR Report) are provided in the following table:

Sustainability topic

Reference

Information on product material content laws and regulations

Materials

Information on electronic waste laws and regulations, including products, batteries, and packaging

WEEE compliance

Cisco makes the packaging data available for informational purposes only. It may not reflect the most current legal developments, and Cisco does not represent, warrant, or guarantee that it is complete, accurate, or up to date. This information is subject to change without notice.

Cisco Capital

Flexible payment solutions to help you achieve your objectives

Cisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.

 

 

 



[1] Throughput measured with 1500B User Datagram Protocol (UDP) traffic measured under ideal test conditions.
[2] “Multiprotocol” refers to a traffic profile consisting primarily of TCP-based protocols or applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
[3] The VPN throughput and the number of sessions depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.
[4] Stated resource allocation is required to achieve the documented performance metrics for each tier. Decreased allocations are supported but will result in lower performance.
[5] Thin provisioning is supported.
 
[6] Throughput measured with 1500B User Datagram Protocol (UDP) traffic measured under ideal test conditions.
[7] “Multiprotocol” refers to a traffic profile consisting primarily of TCP-based protocols or applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
[8] The VPN throughput and the number of sessions depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.

Learn more