Solved: ASA 5540 FW running version 7.0(5)

cgoolia · ‎08-09-2006

I am upgrading from PIX 6.3.5 to new pair of ASA's tonight. I am wondering if anybody knows of any gotchas I need to be aware of...Also want to know if this version of code for ASA's are stable. Thanks in advance

tom.shiba · ‎08-09-2006

We migrated as well from a couple Pix 520s v. 6.3.5 to ASAs running 7.0.5. I would recommend running them in parallel and migrating your servers and VPNs slowly. We did this and it payed off as I've crashed the ASAs multiple times due to software bugs. The ASAs sound great as they integrate features of the VPN concentrator, IPS, etc however I'm am now a firm believer of seperating those services and running them on different boxes.

We ran into issues connecting EZVPN 831 "NEM" and it is malforming SCCP from the IP phones. We took the chance and upgraded to 7.2.1 hoping that it would resolve it because of enhanced Skinny enhancements. Now stateful failover doesn't work "CSCse81232". So here I go again with another can of worms :)

So in summary if you are just using the ASAs as a basic firewall 7.0.5 is stable. It's not worth the risk to upgrade to the first major release just because of new features.

P.S. If you use the ASDM make sure you hit apply after each change. Don't make a bunch of changes and then hit apply as this will crash 7.0.5. "CSCse22853" This bug was discovered by me and wasn't specific to just DHCP relay cmds.

View solution in original post

Fernando_Meza · ‎08-09-2006

Hi .. I suggest to upgrade to the latest version as it addresses several caveats from prevous version. Also one of the features we did not have with previous 7.x code ( pppoE ) is now available on the latest version - this of course assuming you can make use of it ..

http://www.cisco.com/en/US/products/ps6120/prod_release_note09186a0080688004.html#wp37875

I hope it helps .. please rate it if it does !!!

tom.shiba · ‎08-09-2006

We migrated as well from a couple Pix 520s v. 6.3.5 to ASAs running 7.0.5. I would recommend running them in parallel and migrating your servers and VPNs slowly. We did this and it payed off as I've crashed the ASAs multiple times due to software bugs. The ASAs sound great as they integrate features of the VPN concentrator, IPS, etc however I'm am now a firm believer of seperating those services and running them on different boxes.

We ran into issues connecting EZVPN 831 "NEM" and it is malforming SCCP from the IP phones. We took the chance and upgraded to 7.2.1 hoping that it would resolve it because of enhanced Skinny enhancements. Now stateful failover doesn't work "CSCse81232". So here I go again with another can of worms :)

So in summary if you are just using the ASAs as a basic firewall 7.0.5 is stable. It's not worth the risk to upgrade to the first major release just because of new features.

P.S. If you use the ASDM make sure you hit apply after each change. Don't make a bunch of changes and then hit apply as this will crash 7.0.5. "CSCse22853" This bug was discovered by me and wasn't specific to just DHCP relay cmds.

cgoolia · ‎08-09-2006

thank you very much...just finishing up and all appears well. Yeah we were running VPN's on the device and I migrated them all off 2 weeks ago...Just because I didn't want to have any issues... Thanks for the ASDM tidbit...great to know. Have a good night!

jbrunner007 · ‎08-10-2006

wow WTF!?! It's 2006 and Cisco still seems to drop all these products on the market with little R&D!?!?!

Who did they buy the ASA from ? LOL!??! (get your money back Cisco!)

I went to a job interview in February, and they bragged they ripped out the ASA's for Juniper Netscreens... I just thought "this guy just hates Cisco because he wants a gui, and is a little MCSE baby"... well now I'm wondering maybe he is right... going to wait a while before I buy these ASA's