Thank you for the comments. This has me really confused because the folks over at CDW are telling me that the 5510 will only do 150 IPSec peers IF I have the security plus upgraded installed. Even then they are saying that 7.0 is terrible (then why ship with it?) and I should upgrading to 7.1 in the very least... which requires a Smartnet..

Right now my ASA says I am licensed to 50 (no S.Plus on 7.0)

The upgrade to s.plus is $700 + !!!

So my question is in your experience you have seen the licensing on this device allow for 250 w/o the S.Plus upgrade just running 7.1 ?

THANKS!

Hi,

There a couple of points here which are a bit tricky - the first is the software versioning of PIX/ASA software. If we have a look at how it work in IOS (It would be useful if there was an equivalent paper for PIX/ASA...)

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml

The basic idea is that if you go from 7.0(1) to 7.0(2) you're getting more software fixes and less new features but if you go from 7.0(1) to 7.1(1) you're getting more major new features but less software fixes. On PIX/ASA there seems to be a fairly clear choice between stability and features. Don't forget that the 3 trains have releases independent of each other so it doesn't necessarily follow that the highest numbered release was the latest one, let alone the most stable one. Before 7.2(2) was released last November the latest release was 7.0(6) and we actually standardised on this because all releases above 7.0(6) were giving us issues (especially the 7.1 versions). We're trialling 7.2(2) at the moment and it seems to be as solid as 7.0(6) so that also looks like a good choice.

With that in mind we need to look at the feature sets of the various releases, and currently 7.2(2) gives you 250 maximum concurrent IPsec sessions whether or not you have the Security Plus license. I think this change happened during one of the 7.1 releases. If you only have 7.0 then you get 50 as standard and can upgrade to 150 if you have a security plus license. (With 7.2(2) you still need the security plus license to get failover and vpn load balancing - but not to get the 250 sessions.)

As to upgrading - it's possible 7.0(6) was actually the "latest" release when you purchased your box and unless you specified a particular version when you bought it this is what you normally get (you can ask for any version you like at no charge when you buy it initially). You really need smartnet for the ASA because the standard Cisco warranty is rubbish (90 days only and you wait 10 days for a replacement) so unless it's a test network you're pretty much forced to buy smartnet to be sure of a fast replacement (or any replacement at all after 90 days..) Also, the cost of a smartnet contract for a year if you only need NBD replacement is less than the cost of a one-off software upgrade AND you get to download any version you like for the year AND you can also log calls directly with the TAC.

So, I'd recommend buying a smartnet contract and then go through the release notes to find a suitable release to download - sounds like 7.2(2) might be what you need - at the very least you should be upgrading to get more sessions rather than sticking to 7.0 and buying a security plus license. (Because both the one-off upgrade and the security plus license are probably more expensive than smartnet!)

HTH - plz rate if useful

Andrew.

Thank you for the very detailed and informative response. I am glad to know that I can / should be able to specify what IOS version we need at the time of ordering. Can one order directly from Cisco or must you go through a reseller for this to happen?

What frustrates me is that this was purchased this month and it only came with 7.0 and thus we are limited. I hope this is not standard practice from CDW as when you order a product you expect to have the latest software at that time.

Once again thank you, thank you, thank you. Very good answer!!

Thank you again!

Andrew,

I can't believe a CCIE like yourself

recommanding others to use version 7.2(2).

Pix/ASA running version 7.x is a piece of crap.

7.x is full of bugs. All 7.x versions are

designated as "ED". In other words, they are

"beta" code. 7.0(6) is closed to be GD.

Until then, I would not roll out 7.x in a

production environment. Version 7.1.x and

version 7.2x are extremely buggy. I can

tell you this. Version 7.0.x alone has over

700 bugs.

If you need a real firewalls, go with Juniper

or Checkpoint firewalls. If you decide to

stay with Cisco, use the pix instead of ASA

and run version 6.3(5). At least version 6.3(5) is stable and less buggy.

I can give you an example, in version 7.2(2)-2

you can do "show run + q" to stop the config

and the box reboot. Lovely.

David

CCIE Security

David,

Thanks for your entertaining response - are you suggesting that we should also replace all our supervisor 720 modules? They have a similar number of bugs and also have only ED versions currently. As it happens (in our large service provider network) we run many vendors equipment, including those you mentioned plus many others.

One of the reasons we chose ASA was for the GTP/GPRS inspection code - so I'm interested to hear what your recommendation is for an alternative product?

Most folks on the forums live in the real world and have real world networking issues to be solved and your response isn't helpful in the least - do you refuse to use windows/unix/mac/etc. because of the number of bugs?

Andrew.

Andrew,

I realize that every vendors, checkpoint,

Juniper and cisco have bugs in the code. I am

not a Security expert but I, like yourself,

work for a large service security service

provider and I can tell you that Pix/ASA has

the most bugs that I have run into. Because

of issues like this that I am having a job

that pays quite well so I am not complaining.

That being said, I would think a big player

such as cisco would roll out code that are

reasonable "stable". I would not think that

cisco would roll out version 7.2.2-2 code

that resulted in "show run + q" equal reboot.

That is very poor quality, IMHO.

I've worked with Checkpoint for the past six

years and when Checkpoint roll out NG with AI

R55. In the past 3+ years, they only 18

release patches, called HFAs for version NG

with AI R55. In contrast, within version

7.1.x alone with cisco you have almost like 26

different releases. That I found to be

completely unacceptable.

When I rolled out pix 7.0(6) a few months ago

and I ran into issues, Cisco TAC told me "well

this is ED code, if you want something

go with 6.3(5)". This is 2007 and I don't

want to use 2003 technologies, isn't it too

much to ask from cisco for a stable release?

I do not know anything about GTP/GPRS to make

an educate comment on this topic.

Checkpoint TAC really sucks and I like Cisco

TAC a lot because Cisco TAC is much responsive

to customer need but it seems like Cisco

doesn't know anything when it comes to

security products. When I was preparing for

the Security lab I was using Cisco IDS 4.1,

this product is a piece of junk. It took

almost 5 mins to apply a change and sometimes

it would not accept changes. How can you

call an ASA a secure firewall, when by

default, the "no nat-control" is enabled, and

that traffics from the high level can traverse

the low level by default?

Juniper and Checkpoint would not let you get

away with that. Their mantra is quite the

opposite. Everything is dropped unless

explicitly allowed.

David

CCIE Security

This is the response that I get back from

cisco TAC:

"Hi David,

I passed your previous comments onto the Business Unit Director, and

some others in his team. We are aware of quality issues in the

7.1/7.2 releases which we have been working hard to resolve."

Now if you know that you have quality issues,

why do you still release these codes to the

general public, that I don't understand. I

used to like cisco a lot until they do stuffs

like this.