SR520 Dissapointment

Unanswered Question
Jul 22nd, 2009

I am very dissapointed with Ciscos release of the SR520. I was excited at first having a good software feature set and rack mountable (about the only ADSL router I have found that doesnt need a shelf). My dissapointment was with the CCA config software (using the latest 2.0.1 version). Having used CCA with the UC500, I was pleased with it (although I have moved away from CCA for my own system due to lack of support for EM, I will be sticking to it as much as possible for out UC500 installs to customers). However I came across the following major problems:

- ADSLoPOTS setup... the UK (and alot of europe as far as I know) use PPPoA for ADSL connections. There is no support for this within CCA

- VPN setup... trying to create a VPN tunnel between this and a Watchguard.... no support for IPSEC tunnels within CCA

- Firewall setup.... trying to create a basic firewall... no real options from the basic Low, Medium, High. I needed to allow Pings from a certain address range.

The dissapointment then continued even further when I couldnt even fall back to SDM to configure the device!!!

At this point I gave up and configured the entire thing by CLI, which resulted in the installation taking a whole day instead of a few hours.

I have since changed all our orders/quotes the include an SR520 and gone back to the 800 series. Furthermore, this is a major blow for us to move from Watchguard devices to Cisco devices (not every engineer is trained for CLI commands and we need a product with a easy but robust GUI)

I was wondering if anyone else has any comments on the SR520 outside the US? Any comments from Cisco? Is there something I have fundamentally missed with this? With CCA well into its 2.0 release I would have expected basic features like ADSL setup to be straight off the mark.

Can anyone from the UK tell me their experiences with the SR520?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcos Hernandez Thu, 07/23/2009 - 11:03

Hi Chris,

Thanks for this feedback. I have forwarded your comments to the SR520 Product Management team.


andrewsymms Sat, 08/08/2009 - 13:10


I seem to have fallen into the same trap purchased an sr520 and cannot get it to connect using the cca to the uk adsl.

I understand it can be done using the cli

Could someone explain as simply as possible how do do it



andrewsymms Sun, 08/09/2009 - 14:23


Thankyou for pointing me in the right direction.

I think im almost there but not quite.

If someone could look at the atached files and advice what else i need to do i would be gratefull.

all im trying to do is atach the sr520 to the uc 520with the sr520 as the gateway to the internet

or have i got it all completely wrong !!

I think it would have been a lot easier if i could have used the cca to conect to the internet with pppoatm


David Hornstein Sun, 08/09/2009 - 23:01

Hi Andrew,

The debug looking good as far as the SR520 is concerned, my comments are in blue. Just  a few comments on a bit of the PPP debug you captured. Sure looks good.

Aug  9 20:49:34.627: Vi2 PPP: Phase is UP    Point to Point protocol is up and IP negotiation is about to start
Aug  9 20:49:34.627: Vi2 IPCP: O CONFREQ [Closed] id 1 len 10
Aug  9 20:49:34.627: Vi2 IPCP:    Address (0x03065182D7B1)
Aug  9 20:49:34.627: Vi2 CDPCP: O CONFREQ [Closed] id 1 len 4
Aug  9 20:49:34.627: Vi2 PPP: Process pending ncp packets
Aug  9 20:49:34.627: Vi2 IPCP: Redirect packet to Vi2
Aug  9 20:49:34.627: Vi2 IPCP: I CONFREQ [REQsent] id 1 len 10
Aug  9 20:49:34.627: Vi2 IPCP:    Address (0x030651866001)
Aug  9 20:49:34.631: Vi2 IPCP: O CONFACK [REQsent] id 1 len 10
Aug  9 20:49:34.631: Vi2 IPCP:    Address (0x030651866001)
Aug  9 20:49:34.675: Vi2 IPCP: I CONFACK [ACKsent] id 1 len 10
Aug  9 20:49:34.675: Vi2 IPCP:    Address (0x03065182D7B1)
Aug  9 20:49:34.675: Vi2 IPCP: State is Open
Aug  9 20:49:34.675: Di1 IPCP: Install route to
Aug  9 20:49:34.679: Vi2 LCP: I PROTREJ [Open] id 2 len 10 protocol CDPCP (0x820
Aug  9 20:49:34.679: Vi2 CDPCP: State is Closed
Aug  9 20:49:34.679: Vi2 CDPCP: State is Listen
Aug  9 20:49:34.679: Vi2 IPCP: Add link info for cef entry Looks like IP Control Protocol (IPCP)has successfully negotiated as well so at this point you should be able to ping IP devices on the Internet from the SR520 command line
Aug  9 20:49:35.627:
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up

Look like you configured the atm interface rather well,  should be able to ping at this point devices on the Internet from the SR520 command line.  But the firewall does not seem to be active on the  WAN dialer interface.

In terms of what to do next Marcos Hernandez produced a brief guide with a number a scenarios;

But, if you are a Value Added Reseller or Cisco partner, you should open a case with the folks at the Cisco's  Planning Design Implementation (PDI) group to pose the question on how to lay out the hardware topology that you want.  This is a free service to SMB "select" Cisco partners or VARs.  You still need to do some configuration to get the firewall working properly (if you want).

But feel free to open a case with the PDI, they are there to help with your Planning design and implementation  and make your installs successful.  But check out their website, the link to it is below;

I have no idea where you live, but if you need some guidance or someone to help facilitate support for you, have a word to your local pre-sales cisco Systems Engineer or the support Staff at your distributor. 

regards Dave

andrewsymms Fri, 08/14/2009 - 00:48

AFter resting the sr520 to facory I found by altering the config as per the atached file everything seems to work fine.

Perhaps others may find this usefull.

For some reason it doea seem to mess up the cca on the uc520 the outgoing dial plan will only show sip trunk not isdn and the incoming did wont show what was previously configured.

eljakimit Tue, 08/25/2009 - 07:17

Hi Marcos,

I reported the same issues a couple of months ago (along with a bunch of other CCA complaints and bugs).

Do you know if product management intends to do anything about these issues?


Marcos Hernandez Fri, 09/18/2009 - 12:32

Hi Eljakim,

These problems have been escalated and reported. I will update this thread when I hear back from the respective product owners.



nsn-amagruder Fri, 01/22/2010 - 20:29

Has the SR520 improved since this experience?  I'm not sure about trying this product for the first time and would rather stick with the ASA5500.  Any experience with creating a VPN from the SPA525G to the SR520 and/or ASA5500?

eljakimit Fri, 01/22/2010 - 23:33

So far I don't think any of our issues have been resolved.

We moved away from the SR520 as ADSL connection point because it just is

too much of a hassle to work from the CLI.

I don't really think the Cisco engineers really understand the problem; it's

been a long time, and any in depth response has never arrived.

It's a shame really; I spent a long time writing down all kinds of bugs

and issues with the CCA, but only received a response from Cisco

after begging for it, and then the response was 'it's been sent on'.

Too bad, this CiscoCommunity forum seemed like a way to communicate

back with Cisco, but I don't think they see it as such. It feels more like

a marketing gimmick that is just a basic forum with the extra addition

of Cisco staff also roaming around and being identifiable.

Sorry if I sound skeptical or stole your threat with this comment, but

it is truely annoying.

andrewsymms Sat, 01/23/2010 - 02:54

looking at the length of time passed since weve been waiting for an update and there has been updates to cca. with nothing to address the ppp over a issue ?

eljakimit Sat, 01/23/2010 - 04:08

Correct. It has not been addressed, nor has a timeframe to address it been given.

Basically the SR500 series is not aimed at small businesses in Europe.


bchris999 Thu, 01/28/2010 - 08:51

:( Well, after 6 months since my first post and no progress, the SR520 is destined to become eBay material and is to be replaced by a Draytek Vigor 2820 with a rack kit (at way under half the price too). Whilst I have myself the ability to configure these devices by hand, other engineers in the company do not therefore it is not an option to keep it without having a GUI. Would have been nice to at least see SDM support enabled for it, even as an unsupported thing.... I can't imagine it would be that much different from a 800 series router.

Marcos Hernandez Thu, 01/28/2010 - 09:05


I have asked the Product Manager for the SR500 to explain our plans and clarify positioning.

I will say that I respectfully disagree with the post that claims this Community is a marketing fad. A lot of people put their time and effort in trying to answer questions and help our resellers and customers, even when a support contract does not exist. We also use this community to gather feedback, conduct beta programs and deliver training, all that without moderation or censorship, unless the content becomes a risk and could be used maliciously.

Please keep using this community to get support and voice your opinion. Your comments are always welcome.

Marcos Hernandez

Technical Marketing Engineer

Cisco Systems, Inc.

Andrew Hickman Thu, 01/28/2010 - 15:02


Firstly, thank you very much for both your feedback and comments regarding the SR520.  Also, thanks Marcos for bringing this to our attention.

There have certainly been some challenges with the positioning and configuration of this product since it was launched – as you know we’ve been working hard to build a broad portfolio of products specifically for the Small Business market and in our efforts to do this, we seem to have overlooked a number of aspects that would make the SR520 a great product for you to position and sell.

Looking forward, we hope to continue to offer you the best products for your customers.

a)      The ISR870 and ISR880 series of routers will continue to offer market leading feature support and flexibility when you need it.

b)      We will continue to offer and support the SR520 as a component of the SBCS solution for the time being.  A new SmartDesign guide is about to be published to help with deployment and configuration.

c)       In April, we will bring to market a new range of Cisco Small Business devices in this space – the SRP500.  Unlike the ISR800 and SR520, these products will be Linux based and will have their own integrated GUI (no CLI).  ADSL2+ and Ethernet variants of this product will be made available in small and mid-sized versions and all will offer 802.11n wireless.  These products will be aggressively priced in comparison to the SR520 and ISR800 and will have a place as both a standalone device and as part of the SBCS solution.

If I might respond specifically to one of the points raised in this thread – I used CCA v2.2.1 and a factory default SR520 to connect to my BT ADSL service in the UK this evening without any issue.  CCA uses pppoe-client configuration on the ATM interface, but this seems to be perfectly functional (for me at least).

Please keep the feedback coming.  Myself, Maulik and Jayesh from the Product Management team will keep a track of this thread if you have any further comments.

Best Regards

Andy Hickman

andrewsymms Fri, 01/29/2010 - 05:39


when i set up the sr520 to connect to my bt adsl connection it would not connect via cca using pppoe. By using cli it did connect using pppoa. Are you sujesting that it should work through pppoe if so i will give it a go again


eljakimit Fri, 01/29/2010 - 06:07

I have the exact same issue.

PPPoE: not supported by provider, but supported by CCA

PPPoA: only supported by provider, have to do this from the CLI

Can you at least give us a timeframe for the following issues:

* When will we be able to program PPTP server from the CCA (currently only CLI)

* When will we be able to program PPPoA from the CCA

And, lastly:

Are you planning on giving more granular firewall control from the CCA?


Andrew Hickman Fri, 01/29/2010 - 08:29

Hi Eljakim,

I understand that PPPoA is generally what is used by ADSL access devices (as it is the simplest implementation), but are you saying that your provider categorically does not support PPPoE?  Which ISP are you using out of interest?

Using a PPPoE client bound to the DSL interface on the SR520, ought to emulate PPPoA pretty closely.

Could you try the configuration process that I just posted for Andrew on this thread and let me know how you get on?

To your questions:

* When will we be able to program PPTP server from the CCA (currently only CLI)

It's unlikely that we will support PPTP specifically in the SBCS solution.  Our goal for SBCS is to try to make deployment as straight forward as possible for Select Partners and Small Businesses and in so doing, we have not exposed many features that could just cause confusion.  For example, for VPN we have chosen to use the IOS EZVPN feature: This is somewhat academic to most users as they just want VPN access that can be set up as easily as possible.

Of course, you have seen that you can use this feature through CLI - it is also well covered by the ISRs and SDM if you need extended flexibility.

* When will we be able to program PPPoA from the CCA

There are no immediate plans to support this - I would be interested in your feedback from above to help me see how best we could move forward on this one.

Are you planning on giving more granular firewall control from the CCA?

We often hear this request and I do appreciate that the settings are somewhat high level currently.  Many firewall settings are configured transparently by CCA based on what has been configured under features like NAT port forwarding and DMZ.  This approach trades the flexibility that you might be used to in IOS with ease of deployment and makes the solution easier to support.

Can you give me some examples of the firewall features that you would like to be able to configure?  I'll take these to the CCA Product Manager as see how we can move this forward.

Thanks again for your feedback,


eljakimit Fri, 01/29/2010 - 08:52

PPPoA: ISP = xs4all

Here is the relevant bit from our configuration. Believe me when I tell

you that we tried everything from the CCA before moving to the CLI.

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

pvc 8/48

  encapsulation aal5mux ppp dialer

  dialer pool-member 1



interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 199 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap hostname cisco
ppp chap password 7 BLAAAT
ppp pap sent-username BLAAAT password 7 BLAAT
ppp ipcp dns request
Andrew Hickman Fri, 01/29/2010 - 09:01
Believe me when I tell you that we tried everything from the CCA before moving to the CLI.

Thanks for the detail - I believe you :)

eljakimit Fri, 01/29/2010 - 08:54


The reason we like PPTP is that it is so well supported and you don't need any special client software.

We just installed another SR520 model where we used the VPN options that come out of the box. The client does not like the extra client software that has to be installed and is asking 'why can't we just use the Microsoft client'.

Am I completely mistaken here?

Andrew Hickman Fri, 01/29/2010 - 09:05

Am I completely mistaken here?

Not at all.  This really comes back to the point I made earlier about trying to have a common approach.  When developing the SBCS solution, the Cisco VPN client had pretty good client / OS coverage, so it made sense to standardise on that.

eljakimit Fri, 01/29/2010 - 08:57

I think the firewall issue comes down to the fact that it sometimes appears that random things are happening.

We had some Cisco staff fiddle with our firewall rules (under the smartnet contract) and they could not figure out what they wanted to do.

I can pm you our entire config so you can see what they have done, and you can then say whether it makes sense or not. Just send me your e-mail and I'll send you the config.

Andrew Hickman Fri, 01/29/2010 - 09:16

Thanks again for the feedback.

It is true that there have been some issues with firewall ACL management with CCA.  Those are defects that we treat seriously and continue to address - it's a shame that you were impacted by this.

That shouldn't distract however from the general provisioning approach that we have taken with CCA (and our new SRP500 devices for that matter).

Please feel free to send me your config via private message on this community.

I'd still be interested to hear what functionality you would like to see added to the firewall.  I'm really interested in your high level views - nothing IOS specific.


eljakimit Fri, 01/29/2010 - 09:51

It may very well be the case that the firewall issues stem from the CLI configuration of PPTP. I just remember that your support people had major problems with it. (but they also said that the zone-based security was new to them)

You know, even if you don't build it into the CCA, it may make sense to have a conf analyzer tool that tells you what rules are in the system. Or are there any third party tools that help with this?

andrewsymms Wed, 02/03/2010 - 10:36


After a bit of experimenting a few resets to factory and so on everything seems to be working pppoe with a standard UK bt adsl connection.

It seemed everytime I set some nat port forwarding on the sr 520 no internet traffic from the uc500 would get passed the sr520 ? However setting the nat i required and then rebooting the sr520 seemed to solve the problem.

Happy now !

Andrew Hickman Fri, 01/29/2010 - 07:30

Hi Andrew,

That's right.  I have a standard BT Business Broadband service.

Using a factory default router configuration and CCA2.2.1, I just entered the standard VPI/VCI (0/38) for BT and used my PPP username and password.

Having committed the configuration, I renewed the DHCP lease on my PC (to get the DNS server IP provided by BT over the DSL connection) and it worked.

For your information, this is the configuration that CCA created for me:

interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
pvc 0/38
  pppoe-client dial-pool-number 1
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password
ppp pap sent-username password
ppp ipcp dns request

Let me know how it goes for you.



andrewsymms Sat, 01/30/2010 - 12:51


Well how strange i reset sr520 to factory settings and managed to get it to connect as you suggested.

Frustaing thing is it would not hold the connection for more than half an hour !!

After much trying to find the problem no success so I reverted back to my original ppoa via the cli and works fine again ?

Would be nice to know why it wont work if anyone could shed some light for me



fbahemia81 Sat, 02/20/2010 - 11:56

I am using SR520-ADSL-K9 in Mauritius where we only have access to PPPoA 8/35 and i have tried set it up via CCA but it only give you PPPoE!!!! as I have a smartnet, i have call TAC and they realized that their was a problem with my router itself, so we have asked for an RMA, which toke me 7 days to get a new one (even if I have a NBD contract!!!) + the new one which came too have the same problem!!! so now I need to wait another week hoping that I will get another one and that TAC can finally set my PPPoA!!!!

I think the product should be review!!! 2 units faulty + can't setup from CCA!!!!

zylexcomputers Thu, 07/07/2011 - 16:15

And i've just bought two of these for a customer here in New Zealand, only to find the same problem - everything here is PPPoA also - I only found this thread after finding the lack of PPPoA config in CCA and searching. I guess CLI it is then to get it working (leaving it on PPPoE as above doesnt seem to work).

Cisco is the PPPoA config option ever going to be added to CCA for the SR520? If i'd have known i'd have to use CLI I would have probably bought something else, the only reason for buying SR520s was to simplify the solution (given it's a multi-site, UC500 at head office, these two SR520s being intended for branch offices.

watson.daniel Mon, 09/19/2011 - 18:13

Same thing here, I was disappointed that because I expected the CCA to be a step forward from the SDM (which worked great!) and as soon as I saw PPPoA was not an option I simply picked one of my old 877 config's, rejigged it and slapped it back via tftp. The Zone Based Firewall is a hassle to deal with in CLI so i reverted back to CBAC & ACL's and everything works fine.

In the boot sequence you can see that the router is 870 board based so I guess the old kit is simply being repackaged as part of the SMB design until the SRP series get penetration. The only plus is that it is a lot cheaper than the 87x series. I would avoid these routers unless you are comfortable with CLI. Mixing CLI and GUI tend's to give you grief with IOS.

New Zealand etc are too small a market for them to bother changing things like this and it must be a nightmare for hte guys coding the CCA trying to integrate all the multitudes of product Cisco has produced.

eljakimit Mon, 09/19/2011 - 22:37

Yep, in The Netherlands our provider also only does PPPoA. Cisco keeps insisting

that PPPoE will work, and it just doesn't. We're using CLI mixed with CCA. The CCA

keeps crashing when you enter PPPoA settings from the CLI, but as long as you

don't get near those settings in the CCA it will work...

Another disappointment is not being able to add certificates from the CCA. Basically

we can use the SR520 to reset the router and upgrade the firmware and not much else.

On another note: I got a slap on the wrist when posting an SR520 question here a

while ago. Cindy Toy suggested that even thought the SR520/ADSL is a small

business router it is not supported on this forum; only the SR520/T1 router can

be discussed here. I never understood that decision. We have a support contract

though so sometimes we just open up a TAC...


This Discussion

Related Content