×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5540 FW running version 7.0(5)

Answered Question
Aug 9th, 2006
User Badges:

I am upgrading from PIX 6.3.5 to new pair of ASA's tonight. I am wondering if anybody knows of any gotchas I need to be aware of...Also want to know if this version of code for ASA's are stable. Thanks in advance

Correct Answer by tom.shiba about 11 years 1 week ago

We migrated as well from a couple Pix 520s v. 6.3.5 to ASAs running 7.0.5. I would recommend running them in parallel and migrating your servers and VPNs slowly. We did this and it payed off as I've crashed the ASAs multiple times due to software bugs. The ASAs sound great as they integrate features of the VPN concentrator, IPS, etc however I'm am now a firm believer of seperating those services and running them on different boxes.

We ran into issues connecting EZVPN 831 "NEM" and it is malforming SCCP from the IP phones. We took the chance and upgraded to 7.2.1 hoping that it would resolve it because of enhanced Skinny enhancements. Now stateful failover doesn't work "CSCse81232". So here I go again with another can of worms :)

So in summary if you are just using the ASAs as a basic firewall 7.0.5 is stable. It's not worth the risk to upgrade to the first major release just because of new features.

P.S. If you use the ASDM make sure you hit apply after each change. Don't make a bunch of changes and then hit apply as this will crash 7.0.5. "CSCse22853" This bug was discovered by me and wasn't specific to just DHCP relay cmds.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Fernando_Meza Wed, 08/09/2006 - 16:09
User Badges:
  • Gold, 750 points or more

Hi .. I suggest to upgrade to the latest version as it addresses several caveats from prevous version. Also one of the features we did not have with previous 7.x code ( pppoE ) is now available on the latest version - this of course assuming you can make use of it ..


http://www.cisco.com/en/US/products/ps6120/prod_release_note09186a0080688004.html#wp37875



I hope it helps .. please rate it if it does !!!



Correct Answer
tom.shiba Wed, 08/09/2006 - 20:33
User Badges:

We migrated as well from a couple Pix 520s v. 6.3.5 to ASAs running 7.0.5. I would recommend running them in parallel and migrating your servers and VPNs slowly. We did this and it payed off as I've crashed the ASAs multiple times due to software bugs. The ASAs sound great as they integrate features of the VPN concentrator, IPS, etc however I'm am now a firm believer of seperating those services and running them on different boxes.

We ran into issues connecting EZVPN 831 "NEM" and it is malforming SCCP from the IP phones. We took the chance and upgraded to 7.2.1 hoping that it would resolve it because of enhanced Skinny enhancements. Now stateful failover doesn't work "CSCse81232". So here I go again with another can of worms :)

So in summary if you are just using the ASAs as a basic firewall 7.0.5 is stable. It's not worth the risk to upgrade to the first major release just because of new features.

P.S. If you use the ASDM make sure you hit apply after each change. Don't make a bunch of changes and then hit apply as this will crash 7.0.5. "CSCse22853" This bug was discovered by me and wasn't specific to just DHCP relay cmds.

cgoolia Wed, 08/09/2006 - 20:39
User Badges:

thank you very much...just finishing up and all appears well. Yeah we were running VPN's on the device and I migrated them all off 2 weeks ago...Just because I didn't want to have any issues... Thanks for the ASDM tidbit...great to know. Have a good night!

jbrunner007 Thu, 08/10/2006 - 08:53
User Badges:

wow WTF!?! It's 2006 and Cisco still seems to drop all these products on the market with little R&D!?!?!


Who did they buy the ASA from ? LOL!??! (get your money back Cisco!)


I went to a job interview in February, and they bragged they ripped out the ASA's for Juniper Netscreens... I just thought "this guy just hates Cisco because he wants a gui, and is a little MCSE baby"... well now I'm wondering maybe he is right... going to wait a while before I buy these ASA's

Actions

This Discussion