Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISA500: SSL VPN stops accepting connections

I was very disappointed to see that this bug is still listed among the known issues in the 1.2.19 firmware release from April 4th, 2014.  This combined with a lack of clear response or direction from Cisco for addressing the Heartbleed vulnerability may force us to explore other SSL VPN solutions.  Please comment if you are in the same situation and let me know what options you are considering.

Everyone's tags (1)
9 REPLIES

Probably not what you want to

Probably not what you want to hear but this product was announced EOL some months ago.  Personally, I switched to a Cisco Meraki MX60 and sell them now instead.  It is a bit more expensive up front at $495 list and a $250 per year subscription and warranty, but maybe not really more expensive in the long run because of the support it comes with and the lack of headaches and ease of management and deployment.

 

http://www.cisco.com/c/en/us/products/collateral/security/small-business-isa500-series-integrated-security-appliances/end_of_life_notice_c51-729351.html

-- please remember to rate and mark answered helpful posts --
New Member

Looks like a great solution.

Looks like a great solution.  Thanks for the tip.  I may consider the MX80 so that we'll have some room to grow.

New Member

I thougth it was listed as

I thougth it was listed as solved issue CSCui21105

http://www.cisco.com/c/dam/en/us/td/docs/security/small_business_security/isa500/release/1-2-19/ISA500_RN_1_2_19.pdf

Am I wrong ?

New Member

Well, it was partially fixed

Well, it was partially fixed there, but issue CSCun53913 is still open under "Known Issues" for 1.2.19, and I'm still seeing the problem at our site a few times a week.

New Member

My Meraki eval unit should

My Meraki eval unit should arrive early next week.

In the meantime, it looks like Cisco is recommending that we evaluate downgrading to 1.2.24 to work around the heartbleed vulnerability issue.  I'm a little nervous about bricking our ISA570W, so I'll wait until the Meraki is up and running before I tinker with it.  I may try stepping backward one release at a time from 1.2.29 .. 1.2.24.

https://tools.cisco.com/bugsearch/bug/CSCuo29778

New Member

Unfortunately, my Cisco

Unfortunately, my Cisco Meraki evaluation is not going well.  I'm seeing almost daily site-to-site VPN issues (tunnels collapse and won't re-connect until I do a full stop/start of the site-to-site VPN).  There's apparently no support for SSL VPN, and my user population has been less than 50% successful at configuring their devices to use integrated IPSEC clients to connect.

Hopefully Cisco will release an ISA500 firmware update soon that addresses both the heartbleed issue and CSCun53913.  In the meantime, please let me know if there's another security appliance that has solid site-to-site and SSL VPN functionality that I should evaluate.

Sorry to hear that.  Have you

Sorry to hear that.  Have you worked with their support?  I have dozens of site to site Meraki "one click" VPNs setup and have never seen an issue.  Maybe you have some other network issue causing them to go down?  It is true there is only simple IPSEC VPN support for clients.  I assume you referred to the client VPN setup doc?  https://docs.meraki.com/display/MX/Client+VPN+settings It describes in detail how to setup clients VPN for various Windows versions and IOS and Android and Mac using built in VPN clients.  Again, I never had issue with this except to choose smart subnets that don't conflict with remote user's networks.  What type of machines are your users using?  You could probably leverage systems manager (Meraki's free MDM) to configure their VPN settings for them automatically.

 

As for ISA updates, I wouldn't hold your breath since they have been end-f-sale for several months already.

 

 

-- please remember to rate and mark answered helpful posts --
New Member

Hi Brandon,I have a couple of

Hi Brandon,

I have a couple of tickets open with Meraki support, but no significant progress towards resolution so far.  Meraki to Meraki probably works very well; however, my eval Meraki is talking site-to-site with an ASA at my hosting provider (I have no control over the remote end), so there's probably a config mismatch somewhere.

The Meraki does a terrible job of providing detailed config visibility (at least to customers).  There's no real-time status to show the state of the site-to-site or client VPN connections either, which is poor in my opinion for a device in this price range.  At least with the ISA500, I could login and see who is currently connected and what site-to-site tunnels are up without having to wade through logs!

I do have a current 3-year support contract for our ISA570W (separate from the 3-years of signatures updates), but I'm probably one of the few customers who purchased one.  Hopefully Cisco will honor this anyway and provide a patch, but I agree that holding my breath is not a reliable strategy...hence my interest in evaluating another device in addition to the Meraki.  Suggestions welcome...

New Member

Well, the good news is that

Well, the good news is that Cisco has apparently fixed the heartbleed issue in firmware 1.2.20 which was released on April 30th.  The bad news is that, according to the release notes, CSCun53913 - SSL VPN stops accepting connections, is still listed as a known issue!  At least I can start using our old ISA570W again if I want.

Unrelated, apparently my site-to-site VPN issues with the Meraki MX evaluation are due to old firmware on the ASA at my hosting provider.  My hosting provider is updating the ASA this weekend, so perhaps things will be more stable from that side next week.

I still hate the fact that the multi-thousand dollar Meraki security appliances lack SSL VPN support.  :-/

247
Views
0
Helpful
9
Replies
CreatePlease login to create content