Asa = pos

Bl8ckr0uter

So in my brief (less than 2 months) experience with these firewalls the following has happened to me:

- Firmware blew up (x3)
- Config blew up
- Filesystem blew up (x2)
- Device simply stop working (x2)


Are these devices that bad? I mean this has been true on 5540s and 5520s. I honestly question whether I want the CCNP:Security now because it means I'll have to work with more of these pieces of...dung. Anyone else have a similar experience?

kriscamaro68

Bl8ckr0uter wrote: »

So in my brief (less than 2 months) experience with these firewalls the following has happened to me:

- Firmware blew up (x3)
- Config blew up
- Filesystem blew up (x2)
- Device simply stop working (x2)


Are these devices that bad? I mean this has been true on 5540s and 5520s. I honestly question whether I want the CCNP:Security now because it means I'll have to work with more of these pieces of...dung. Anyone else have a similar experience?

I managed a 5510 for about 1 1/2 years without issue. It just worked all the time.

ColbyG

I've worked with a lot of ASAs and they've been very solid.

Bl8ckr0uter

Before it starts to sound like user error, I can deal with configuration issues lol. If I put something in wrong, I put it in wrong but blowing up and losing its config is something else entirely. Maybe all of mine have been made on Mondays or Fridays lol

cxzar20

Yeah, we had so much trouble with them that we ended up just going with Checkpoint. IMO, all Cisco stuff is garbage except for their bread and butter routers/switches. I can't really comment on their VOIP stuff though, I don't have any experience with it. Their WAN Optimization stuff is the worst.

it_consultant

Bl8ckr0uter wrote: »

So in my brief (less than 2 months) experience with these firewalls the following has happened to me:

- Firmware blew up (x3)
- Config blew up
- Filesystem blew up (x2)
- Device simply stop working (x2)


Are these devices that bad? I mean this has been true on 5540s and 5520s. I honestly question whether I want the CCNP:Security now because it means I'll have to work with more of these pieces of...dung. Anyone else have a similar experience?

I have never been overly impressed with the Cisco ASA firewalls. I haven't had any issues like the ones you describe but I find them (much like their routers and switches) overly complex and overly expensive.

shednik

Wow I've never seen issues like that on any ASAs I've ever worked with...for a firewall I'm not a huge fan of how they operate from an auditing/logging perspective and building rules can be tedious at times. I think I was spoiled by my last job when we worked with checkpoint firewalls, however I do think the ASA for a VPN gateway worked very well.

Have you talked to TAC Kevin? What version of code is it? Some of the older code revisions has some strange bugs.

SteveO86

I've managed a handful of them at my previous job for a few years and never had single hardware/firmware problem.

I manage even more them in my current position and still haven't run into a firmware or hardware issue. Involving IOS 8.2 - 8.3

undomiel

So far all the ASAs I've had to work with have been rock solid as well. Haven't run into weird issues with any of them.

Chivalry1

Most of the ASA I worked on have been very reliable. At first I found it a little cumbersome but I am an old Cisco PIX guy so the new GUI buttons impressed me. Maybe call your Cisco representative and let him know of the issues. If not buy a set of Fortinet Fortigates; set it and forget it!

Still obtain the CCNA: Security....you may not like them but Cisco ASA are many corporate standard firewalls; you can't run from them.

Bl8ckr0uter

It was actually an issue with 8.4. 8.3 has been very solid for us. Guess I'll be waiting to 8.5.


I guess I just have bad luck. I'm still going to knock out CCNP:S, I am just complaining.

itdaddy

you know just a thought. have you thought the asa you have is a fake copy like from china?
I have seen some really good duplicate copies that were made and you can barely tell until you use them..
just a thought here.....really I have seen some fakes very scarey..it could be a fake..

docrice

The gray market reference was my first thought as well. I haven't seen an ASA or PIX blow up on me yet. Generally they've been pretty reliable in my experience. Or perhaps you have a bad batch that somehow made it past QA. If you have hardware-level problems, your environment is not stable enough to prevent configs blowing up.

NOC-Ninja

In my experience, Ive never heard or seen it blew up. Its been running for 5 years.

SteveO86

Chivalry1 wrote: »

Still obtain the CCNA: Security....you may not like them but Cisco ASA are many corporate standard firewalls; you can't run from them.

Not to be too picky but..
CCNA: Security doesn't actually cover the ASA, it's covered in the CCNP: Security. CCNA: Security covers Cisco IOS (IOS VPN, IOS IPS, Port Security, SSH that kind of stuff) Even the CCNP: Security SECURE exam is very IOS related. Firewall/VPN are more specific to the ASA.

I don't disagree with you at all CCNA: Security is good foundation for Cisco/network security.

shednik

Bl8ckr0uter wrote: »

It was actually an issue with 8.4. 8.3 has been very solid for us. Guess I'll be waiting to 8.5.


I guess I just have bad luck. I'm still going to knock out CCNP:S, I am just complaining.

I remember being told 8.4 still had a few bugs in it, maybe check for a minor release?

Sett

I worked extensively with FWSMs and never had a problem with them. What are you describing sounds like my Checkpoint experience. I don't have enough words to explain how much I hate those.

Bl8ckr0uter

Ok like this issue. For some reason the device seems to be natting to well known ports randomly, dynamically. So lets take this for an example:

UDP PAT from Inside:X.X.X.X/3000 to Outside:Outside_INT/11129 flags ri idle 0:00:44 timeout 0:00:30

This seems right to me and makes sense:

UDP PAT from Inside:X.X.X.X/3001 to Outside:Outside_INT/137 flags ri idle 0:00:44 timeout 0:00:30

Am I tripping or should that say something higher than 1024? Mind you it does this everyone in a while and we aren't running out of translations or anything. And this is dynamic (not a static map).

Bl8ckr0uter

Well maybe everyone here knew this already and I am just a noob but I wanted to throw this out there. This comes from Cisco TAC:

Natting logic in PIXOS (as well as current ASAs)
If the source port is TCP/UDP 1-511, then the PIX will PAT the SRC address to one in that range.
If the source port is TCP/UDP 512-1023, then the PIX will PAT the SRC address to one in that range.
If the source port is TCP/UDP 1024-65535, then the PIX will PAT the SRC address to one in that range.


It will not Nat out the same port it comes in as so if I come in as port 53 (1-511) I will get some random port in the 1-511 range besides 53. Just thought some people would like to know this.

unclerico

Yeah, a lot of people are not fans of ASA devices. I myself have never had an issue with them and I've managed many over the past couple of years. With that said, I chose Palo Alto Networks over Cisco when it came time to choose.

Bl8ckr0uter

I am actually working with PA gear as well. I'd like to take the training courses but $$$. I think the CLI is easy to understand as well.

unclerico

I hear ya on the price, but it is well worth it. One thing I do know is when I flew to Denver to take the training course my instructor was CCIE Security so that was cool! He was only the second CCIE I've ever met...k, so I'm a nerd oh well

powerfool

The only issue that I have ever had with the ASA is that some of the modules seem clunky. A CCIE (not sure which he had) installed the ASA originally and didn't realize that you need to create an ACL that excludes the CSC SSM from filtering its own traffic else all traffic on the firewall stops. Really stupid design requirement... but it is what it is; called TAC and it was an immediate answer from them... so apparently it is a FAQ and plenty others have the same problem. As far as hardware/firmware... I have not had the first issue yet and I have been working with them for four years, and the PIX for years before that.