SA 540 General VPN Question

Unanswered Question
Feb 11th, 2010

Going to put down the trusty old PIX 506e and considering replacing it with a SA540. Are there any know VPN configuration 'gotchas' on the SA540 when the IPS assigned WAN address is static pppoe?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kdeklerk1 Fri, 02/12/2010 - 06:39

I don't know about the configuration you are talking about but there are plenty known issues with the SA540 in general that aren't fixed. And I'm not sure it is a product that you should be considering right now.  I have an open ticket that doesn't look like it will be resolved any time soon (its been a week for the Escalation team to come back and ask what modem I'm using) it is for the inability to connect to a 10MB full duplex line on the WAN port.  But as I test it I'm running into other issues like the SSLVPN client not working with Windows 7.  This is just a word of caution when looking at this product.

Steven Smith Fri, 02/12/2010 - 07:27

We are working on both of the issues with 10Mbps interfaces on the WAN and Optional port.  The next release will have support for SSL VPN on Windows 7.

cmonteith Mon, 02/15/2010 - 12:42

Wow,

If you're looking to run any form of VPN I can strongly say DON'T go for any of the SA500 devices yet.  They can at best be considered an immature product, and at worst a complete joke.

You will not have access to PPTP or Cisco VPN that you can currently run on your 506e.  The only "supported" client right now is the Cisco/Linksys QuickVPN...and it is a major step down from the Cisco VPN client.  The VPN setup is rather clunkly, and I've seen many many reports of bugs and performance problems with no solutions posted at all.

If you're in need to replace your 506e, go up to the ASA5505....its a fantastic product that can do everything your 506e can do plus more...



talentintelligence Fri, 04/09/2010 - 22:37

I agree that these are a paperweight at best.  We traded in a Fortinet that worked for us for 6 years without fail and now witht he SA540 trying to connect to the Cisco in our data centre we are rooted.  wasted over 40 man hours trying to get this working only to find others have identical issues.  Only bought becaseu there is a 2 month backorder on the ASA that we wanted.

Upgrade to latest firmware 1.1.21 also with no change.  WAN port drops (20M/20M link), deive hangs (can't even ping internally and have to reboot after 5 minutes.

biraja Mon, 04/12/2010 - 10:01

Hi Guys,

We have fixed majority of VPN fixes found and reported by you.

We have also fixed other issues concerning WAN, IPS, etc.

We are currently testing the firmware and it looks good.

I recommend you to try this release which will be posted in a week.

Appreciate your feedback and support.

Thanks and Regards,

Biraja

Stephane.Guedon Mon, 04/12/2010 - 15:11

Hi,

Quite agree with many feedback. This product is not mature enougth !!!



Something not working ... please wait for new firmeware :-(

VPN Clients not working very fine .... At this time, we are looking for other product.

Few docs are pretty well written (

https://www.myciscocommunity.com/docs/DOC-15592) but only a workaround !

Please, CISCO teams focus on this product or stop it.

Regards

KOMNetworks Thu, 04/22/2010 - 10:35

We just got one of these a few days ago and I've been fighting with it for the past day.  We have an ancient SonicWall that we want to retire.  It was a snap to configure.  This SA540 doesn't work no matter what I do.  CLient can't connect with generic "there's something wrong" error.  We only want it for the VPN features, everything else is useless to us, and the one thing we need it for it can't do.  And now I'm supposed to sit here and wait for new firmware so that it will work?  Pathetic.

Stephane.Guedon Thu, 04/22/2010 - 10:46

I hope CISCO will do best effort to get a real VPN feature on this box.

my old IPCOP is working better than the SA540 and cost less !!!

cmonteith Thu, 04/22/2010 - 10:58

I can tell you I just couldn't wait the 2+ MONTHS for the potential fix on this product.  We had to just have egg on our face with every client we installed one of these for...  I'll never get back all the wasted man hours my team put in for this joke of hardware.  I knew I wasn't alone when I called our disty about RMA'ing each of these units and they didn't even bat an eye....I'm guessing I'm not the only one that sent these units packing.

We ended up replacing these units with CIsco 871W and the new 861W routers....IOS based and they just work.  They lack the Web VPN....but well,  in my mind the 540 didn't either :).  I have had great results in using the Shrewsoft VPN client with the 800 and abolve level routers as a work around for 64bit users on the IPSec platform.

Honestly my faith in the SMB arm of Cisco is very shaken right now....I will be hard pressed to ever consider recommending anything in this product line to another client.

KOMNetworks Thu, 04/22/2010 - 11:06

After posting my rant, I went to check for firmware again even though I just upgraded from 1.0.15 to 1.1.21 4 days ago.  Lo and behold, new 1.1.42 firmware is there.  I'm hoping this fixes all the problems everyone has been complaining about.  I'll know myself soon enough.

KOMNetworks Thu, 04/22/2010 - 12:40

OK, so I've applied the new firmware (1.1.42) and it's somewhat better but still doesn't work.  With the old firmware, it gave me the generic error message upon connection attempt.  Now it will connect and go through the motions of authenticating (Activating policy... Verifying network...) but then bombs out with a "Remote Gateway is not responding.  Do you want to wait?" error.  If I choose to wait, it just comes back with the same thing again and again.  The log shows that it failed to ping the remote VPN router several times.  If I can't get this going by the end of today, I'm just going to box it up and send it back.  I don't have the time to play around with this stuff, and I'm not going to wait a few months until the next firmware update.  Another point of interest: my test system is a laptop running Vista.  Just in case, I also rigged a Windows Server 2003 box with the same network settings so I can just swap the network cable back & forth between them to test (wall port is connected directly to our external switch so these test systems are live on the net with a public IP.)  The WS2003 box still gets the "something's wrong" error while the Vista box gets to the "Remote Gateway is not responding." stage.  I don't like how it behaves differently depending on which system it's running on.

biraja Thu, 04/22/2010 - 12:45

Hi,

Can you check the below on your PC.

1)  Firewall must be turned ON.
 

2)  Make sure IKE  service is  started on the PC, since quickvpn relies on the windows  ipsec. To start IKE service maually go to Control  Pannel->computer  management-> Services and  Appliction->Services. Start the "IKE  and AUthIP IPsec Keying Modules"

Thanks,
Biraja


KOMNetworks Thu, 04/22/2010 - 12:57

Thanks for your reply, Biraja.

On my WS2003 system, Firewall is on and IPSEC is running.  This system errors out right away when trying to connect.

On my Vista system, the firewall was off (I had read conflicting documents about whether the firewall should be on or off.)  When I re-enable the firewall, I can now get to the stage where it thinks it's connected although the status panel does not tell me if I've been assigned an IP address or not.  ipconfig /all doesn't show me anything useful.  I cannot RDP to any of the systems on my network either by name or IP address.  This Vista system also has a SonicWall VPN client installed on it.  I had read that there is a chance it can conflict with the QuickVPN client but I do not know for sure and don't want to upset the settings of the SonicWall client unless I really have to.

Edit:  Even though it appears connected, the log shows that it still can't ping the router.

KOMNetworks Fri, 04/23/2010 - 07:26

Well, I've wasted enough time on this.  It's going back in the box and back to our supplier.  An old SonicWall that hangs 2-3 times a week is still infinitely more useful than this piece of non-functional garbage.

Good luck lads.  If anyone of you can get thisstupid thing working, you're a better man than I.

talentintelligence Thu, 04/22/2010 - 14:14

Our saga continues with cisco trying to help but things go from bad to worse. Our unit now freezes after 10 to 15 minutes when sitting on the test bench with only a lan cable connected on. Firmware 1.1.36.

Upgraded to firmware 1.1.42 and now the LAN interface won't come up! Perhaps cisco had a bad manufacturing batch, but this product I would not recommend to my most hated enemy

Stephane.Guedon Fri, 04/23/2010 - 06:35

Hi Cisco team,

Can you tell us when will a a real solution be available to connect any king of host (XP,Vista, Seven, Linux, 32/64 b) using VPN ?

Regards

biraja Fri, 04/23/2010 - 10:56

Hi Stephane,

QuickVPN is officially supported on Windows7, Vista and XP (32 and 64bit).

Thanks,

Biraja

Stephane.Guedon Fri, 04/23/2010 - 12:54

In order to get a full security policy we need a real VPN client, getting a IP for each client (dynamic of tath can be fixed).

We have either Microsoft and Linux clients.... any solution ?

Should we stop using such a product ?

Regards

KOMNetworks Wed, 04/28/2010 - 08:46

I've already wasted 3 days on this nonsense and have given up.  My boss is more stubborn, and spent 3 hours on the phone with a tech from the reseller we bought it from, and between them they couldn't get it to work.  When I mentioned ot him that the time he wasted working with the thing was worth more than what the router cost, he wasn't very happy.  And here it sits.    I'm sure it will be boxed up and returned this week, unless the boss needs a new, expensive paperweight.

Stephane.Guedon Wed, 04/28/2010 - 11:11

Hi All's

Still haveing problem with this device ...VPN does not work on Windows 7 64b, no solution for Linux ...

let's send back the device to vendor or do Cisco wish to honor the label ...

Do anyone think work is done on SA5XX

really start to be fade up with this !

Regards

Oh GREAT! I just quote a client a bunch of them!

I went through nightmares like this with some linksys voice products and almost took out my Company.

Cisco please speak up here! I've been to 3 Cisco seminars in the last month and they all touted these boxes. I DO NOT want to make a mistake again, just tell us if these are ready for production system or not? I will not beta test production products for Cisco again.

We changed our quote from 5510's to SA 540's for the SSL VPN and the clients were happy with the cost changes, but if you can't deliver 5500's and the SA 500's are not ready for customers, we will have to re-quote with ISR's

Not happy

Bob James

cmonteith Wed, 04/28/2010 - 13:22

Hi Bob, Trust me on this one...there is no way on this earth you're ever going to see these SA540's even get within a whisper of touching the levels on a 5510 with web VPN,  even if they're were not the buggy POS's that they are.

I'm going through the same pains...been on many a webinar with the SEs from Cisco talking about how great these SA540s are....but they obviously have to real experience with them. If I were you (and I might as well be,  I've been in the exact same boat for a couple of months with some of my clients) I would STRONGLY advise you do not try and use the 540 as a replacement for an ASA....you and you're client will be extremely pissed with the results. If your clients needs are large enough to require a 5510 nothing in the SBM space would be an adiquate substitue anyway.

As a SBM Select reseller of many years I cannot say how DEEPLY disappointed I am in Cisco right now.  Between having firewalls on back order for three months, lack of taking ownership of the many problems, and just plain lying about this product, I'm beginning to question how much longer I can recommend them to my client base.

Right now the best (Cisco based) option I could recommend is to replace the units with Cisco IOS routers for your web VPN options.  Keep in mind, Cisco has recently changed to a licensing model for WebVPN even on the IOS routers...so you'll want to check out that SKU for your quotes

-

talentintelligence Wed, 04/28/2010 - 13:24

Our cisco is on the way back with an rma and we are hoping to revert to an asa unit which is what we were originally sourcing.

It does appear that the product is in the early stages and it has some great potential. I agree though that there appear to be too many issues on what it a relatively simple device.

KOMNetworks Wed, 04/28/2010 - 13:33

Yes, it certainly is stunning that these were released when nobody in the real world can get them to work.

Anyone know where I can get an ASA 5505?  That's what we originally wanted but could not find.

cmonteith Wed, 04/28/2010 - 13:38

If you find a source share with the class! I've been searching high and low for months with no luck. I have 1 ASA5505-50 user remaining in stock that I'm holding onto as if it were made of gold right now.

- Chad Monteith

KOMNetworks Thu, 04/29/2010 - 06:17

We think we might have a workaround for the QuickVPN client issue.  It's not very practical and I'd like to see if anyone else can make it go.  What we did was, on the external system that you're trying to VPN from, you need to change your gateway address to the LAN address of the router after you have connected via the QuickVPN client.

Last night we decided to try the SSL VPN functionality and we've got that working OK, although I really don't like using Internet Explorer if can avoid it.  It's only the QuickVPN client that seems to still have problems.

weilia Fri, 04/23/2010 - 10:19

Hi,

I believe the following steps can help to bring your LAN interface back online.

This is from release note. Please let me know if this work:

These are important notes related to firmware version SA500-K9-1.1.42.
• If the LAN LEDs remain down for more than 10 minutes, or if the Diagnostic
LED is up, press the reset button (with the router powered on) for 10
seconds and release. During that time, do not power off the device.

wei

praneedhcisco Sat, 05/08/2010 - 10:21

I am configuring SA 540 for the first time for remote VPN users. I use Quick VPN and SSL VPN clients. It did not work for me yet.

Can somebody explain what I need to put in remote and Loacal WAN addresses? Should I keep defaults (FQDN,local.com,remote.com) or do I need to change according to following in my company.

Office LAN is 192.168.1.0/24 and has active diractory domain bp.toronto. XP client laptops are joined to the domain and sent to remote sales users.

Other configuration details for a successful implementaion is also apprecited.

Thanks in advance.

Praneedh

Attachment: 
weilia Sat, 05/08/2010 - 10:36

Hi Praneedh,

1) For QuickVPN, you do not need to configure the remote access vpn on SA500.
   only thing you need is to go to VPN->IPSec->IPSec Users, select Cisco QuickVPN
   for the remote peer type.
  
2) Please make sure your PC's firewall is on
3) Please let me know the exact issue you have for ssl vpn connection set up

regards,
wei

Stephane.Guedon Thu, 05/27/2010 - 14:43

Hi all's

Any news on 'how to make SA540 working VPN fine ?'

Still need to get Windows XP,7 64b and Linux working using VPN

Regards

lennart.karlsso... Wed, 06/30/2010 - 05:10

Hello all,

I have also got the sa540 and is quite happy with it besides the vpn side.

We are mainly running Solaris and MacOS X boxes and i must admit i have

not gotten the vpn setup to work.

Has anyone successfully set it up for Mac at all ?

//Lennart

Stephane.Guedon Fri, 07/09/2010 - 07:07

Hi All's

Still many bugs on this device and no news from CISCO ....

Many of us where thinking 'buy CISCO to avoid many problems' ... seems to be wrong.

I still hope ( mpay I be wrong) to get a new firmeware with professional feature:

-Monitoring (interfaces usage, device CPU/memory usage ...)

-VPN working fine (with any king of remote OS: Linux, MAC OS, Windows 32/64b)

Regards

Hi Julio,

Is the SA540 VPN can work with Windows XP/7 64-bit platform? I installed VPN Client for 64-bit platform and connected to my SA540 box successfully and I'm using firmware version 2.1.18 but I can't access the network behind SA540 as I do from Windows XP, why?

To be honest, I really disappointed in Cisco SMB products. I struggled in solving tones of issues from my SA500 series boxes for few months already.

cheers,

Chi Hong.

juliomar Tue, 03/15/2011 - 11:38

Hi Chi Hong Ip,

Are you using Quick VPN Client or Cisco VPN Client, and what version?  Which Windows 7 x64 Operating System are you using? Home Premium, Professional, Ultimate, or Enterprise?

Cheers,

Julio

Actions

This Discussion