Options
Asa = pos
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
in Off-Topic
So in my brief (less than 2 months) experience with these firewalls the following has happened to me:
- Firmware blew up (x3)
- Config blew up
- Filesystem blew up (x2)
- Device simply stop working (x2)
Are these devices that bad? I mean this has been true on 5540s and 5520s. I honestly question whether I want the CCNP:Security now because it means I'll have to work with more of these pieces of...dung. Anyone else have a similar experience?
- Firmware blew up (x3)
- Config blew up
- Filesystem blew up (x2)
- Device simply stop working (x2)
Are these devices that bad? I mean this has been true on 5540s and 5520s. I honestly question whether I want the CCNP:Security now because it means I'll have to work with more of these pieces of...dung. Anyone else have a similar experience?
Comments
-
Optionskriscamaro68 Member Posts: 1,186 ■■■■■■■□□□Bl8ckr0uter wrote: »So in my brief (less than 2 months) experience with these firewalls the following has happened to me:
- Firmware blew up (x3)
- Config blew up
- Filesystem blew up (x2)
- Device simply stop working (x2)
Are these devices that bad? I mean this has been true on 5540s and 5520s. I honestly question whether I want the CCNP:Security now because it means I'll have to work with more of these pieces of...dung. Anyone else have a similar experience?
I managed a 5510 for about 1 1/2 years without issue. It just worked all the time. -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Before it starts to sound like user error, I can deal with configuration issues lol. If I put something in wrong, I put it in wrong but blowing up and losing its config is something else entirely. Maybe all of mine have been made on Mondays or Fridays lol
-
Optionscxzar20 Member Posts: 168Yeah, we had so much trouble with them that we ended up just going with Checkpoint. IMO, all Cisco stuff is garbage except for their bread and butter routers/switches. I can't really comment on their VOIP stuff though, I don't have any experience with it. Their WAN Optimization stuff is the worst.
-
Optionsit_consultant Member Posts: 1,903Bl8ckr0uter wrote: »So in my brief (less than 2 months) experience with these firewalls the following has happened to me:
- Firmware blew up (x3)
- Config blew up
- Filesystem blew up (x2)
- Device simply stop working (x2)
Are these devices that bad? I mean this has been true on 5540s and 5520s. I honestly question whether I want the CCNP:Security now because it means I'll have to work with more of these pieces of...dung. Anyone else have a similar experience?
I have never been overly impressed with the Cisco ASA firewalls. I haven't had any issues like the ones you describe but I find them (much like their routers and switches) overly complex and overly expensive. -
Optionsshednik Member Posts: 2,005Wow I've never seen issues like that on any ASAs I've ever worked with...for a firewall I'm not a huge fan of how they operate from an auditing/logging perspective and building rules can be tedious at times. I think I was spoiled by my last job when we worked with checkpoint firewalls, however I do think the ASA for a VPN gateway worked very well.
Have you talked to TAC Kevin? What version of code is it? Some of the older code revisions has some strange bugs. -
OptionsSteveO86 Member Posts: 1,423I've managed a handful of them at my previous job for a few years and never had single hardware/firmware problem.
I manage even more them in my current position and still haven't run into a firmware or hardware issue. Involving IOS 8.2 - 8.3My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
Optionsundomiel Member Posts: 2,818So far all the ASAs I've had to work with have been rock solid as well. Haven't run into weird issues with any of them.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
-
OptionsChivalry1 Member Posts: 569Most of the ASA I worked on have been very reliable. At first I found it a little cumbersome but I am an old Cisco PIX guy so the new GUI buttons impressed me. Maybe call your Cisco representative and let him know of the issues. If not buy a set of Fortinet Fortigates; set it and forget it!
Still obtain the CCNA: Security....you may not like them but Cisco ASA are many corporate standard firewalls; you can't run from them."The recipe for perpetual ignorance is: be satisfied with your opinions and
content with your knowledge. " Elbert Hubbard (1856 - 1915) -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□It was actually an issue with 8.4. 8.3 has been very solid for us. Guess I'll be waiting to 8.5.
I guess I just have bad luck. I'm still going to knock out CCNP:S, I am just complaining. -
Optionsitdaddy Member Posts: 2,089 ■■■■□□□□□□you know just a thought. have you thought the asa you have is a fake copy like from china?
I have seen some really good duplicate copies that were made and you can barely tell until you use them..
just a thought here.....really I have seen some fakes very scarey..it could be a fake.. -
Optionsdocrice Member Posts: 1,706 ■■■■■■■■■■The gray market reference was my first thought as well. I haven't seen an ASA or PIX blow up on me yet. Generally they've been pretty reliable in my experience. Or perhaps you have a bad batch that somehow made it past QA. If you have hardware-level problems, your environment is not stable enough to prevent configs blowing up.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
-
OptionsNOC-Ninja Member Posts: 1,403In my experience, Ive never heard or seen it blew up. Its been running for 5 years.
-
OptionsSteveO86 Member Posts: 1,423Still obtain the CCNA: Security....you may not like them but Cisco ASA are many corporate standard firewalls; you can't run from them.
Not to be too picky but..
CCNA: Security doesn't actually cover the ASA, it's covered in the CCNP: Security. CCNA: Security covers Cisco IOS (IOS VPN, IOS IPS, Port Security, SSH that kind of stuff) Even the CCNP: Security SECURE exam is very IOS related. Firewall/VPN are more specific to the ASA.
I don't disagree with you at all CCNA: Security is good foundation for Cisco/network security.My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
Optionsshednik Member Posts: 2,005Bl8ckr0uter wrote: »It was actually an issue with 8.4. 8.3 has been very solid for us. Guess I'll be waiting to 8.5.
I guess I just have bad luck. I'm still going to knock out CCNP:S, I am just complaining.
I remember being told 8.4 still had a few bugs in it, maybe check for a minor release? -
OptionsSett Member Posts: 187I worked extensively with FWSMs and never had a problem with them. What are you describing sounds like my Checkpoint experience. I don't have enough words to explain how much I hate those.Non-native English speaker
-
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Ok like this issue. For some reason the device seems to be natting to well known ports randomly, dynamically. So lets take this for an example:
UDP PAT from Inside:X.X.X.X/3000 to Outside:Outside_INT/11129 flags ri idle 0:00:44 timeout 0:00:30
This seems right to me and makes sense:
UDP PAT from Inside:X.X.X.X/3001 to Outside:Outside_INT/137 flags ri idle 0:00:44 timeout 0:00:30
Am I tripping or should that say something higher than 1024? Mind you it does this everyone in a while and we aren't running out of translations or anything. And this is dynamic (not a static map). -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Well maybe everyone here knew this already and I am just a noob but I wanted to throw this out there. This comes from Cisco TAC:
Natting logic in PIXOS (as well as current ASAs)
If the source port is TCP/UDP 1-511, then the PIX will PAT the SRC address to one in that range.
If the source port is TCP/UDP 512-1023, then the PIX will PAT the SRC address to one in that range.
If the source port is TCP/UDP 1024-65535, then the PIX will PAT the SRC address to one in that range.
It will not Nat out the same port it comes in as so if I come in as port 53 (1-511) I will get some random port in the 1-511 range besides 53. Just thought some people would like to know this. -
Optionsunclerico Member Posts: 237 ■■■■□□□□□□Yeah, a lot of people are not fans of ASA devices. I myself have never had an issue with them and I've managed many over the past couple of years. With that said, I chose Palo Alto Networks over Cisco when it came time to choose.Preparing for CCIE Written
-
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□I am actually working with PA gear as well. I'd like to take the training courses but $$$. I think the CLI is easy to understand as well.
-
Optionsunclerico Member Posts: 237 ■■■■□□□□□□I hear ya on the price, but it is well worth it. One thing I do know is when I flew to Denver to take the training course my instructor was CCIE Security so that was cool! He was only the second CCIE I've ever met...k, so I'm a nerd oh wellPreparing for CCIE Written
-
Optionspowerfool Member Posts: 1,666 ■■■■■■■■□□The only issue that I have ever had with the ASA is that some of the modules seem clunky. A CCIE (not sure which he had) installed the ASA originally and didn't realize that you need to create an ACL that excludes the CSC SSM from filtering its own traffic else all traffic on the firewall stops. Really stupid design requirement... but it is what it is; called TAC and it was an immediate answer from them... so apparently it is a FAQ and plenty others have the same problem. As far as hardware/firmware... I have not had the first issue yet and I have been working with them for four years, and the PIX for years before that.2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro