Hey guys, I'm running an ISA550W with firmware 1.2.15 firmware on it. I've got a handful of LAN interfaces configured, including two functioning as DMZs (but I didn't see the point of configuring them as a DMZs?) - see attached for details.
So far it's working great, but every now and then the only ACL rule I've manually added stops working and cuts off my access to the OOB Mgmt LAN. If I "Reset" the ACL table, the rule immediately starts working again and access is restored.
Has anyone else seen this? Any other options for remediation?
Solved! Go to Solution.
I don't know what hanging means, but you could also set the security level of Production one point higher than OOB, then you don't need any rules.
Please rate all helpful posts
Michael, I appreciate the help but the ISA550 doesn't support custom security levels. You're/I'm stuck with the five that come with the appliance: 0, 25, 50, 75, 100.
Brandon, yes to both! I'm using the AnyConnect client on both Android and iOS and will probably roll out to laptops as well. Is there a documented incompatibility here?
Brandon, strangely enough the ISA550W seemed to work ok throughout the day yesterday but I did upgrade to the newest firmware last night.
Also, just so you know, I had issues adding a new ACL rule a couple nights ago. I'd configure it and click "Save" but when I refreshed it wasn't there. I rebooted the ISA and tried again and it worked. I think there's something funny going on in the ACL code on this box...
Either way, it seems to be working ok today but I'll keep you posted.
Thanks Brandon. So far I'm really impressed with this little box. I never played with the SA520 but I'm pretty happy to have AnyConnect/Mobile included on an SMB product!
The ISA550W is acting up again. Outbound Internet access is working but none of my DMZs are accessible any more. I've got a Cisco Meraki security appliance on the way so I think I'm going to have to swap the ISA for my spare 5505 until the Meraki gets here or the issues are resolved. I even tried rebooting the appliance 4 hours ago but DMZ traffic is still not passing.
It's a real shame. I've been thrilled to use AnyConnect to access my ESXi host remotely but it doesn't do me any good if the appliance is randomly dropping connections and ignoring firewall rules. Doesn't Cisco test these things before releasing them for sale?
Do you have logs surrounding attempts to access devices on the DMZ? Can you gather the System Diagnostics surrounding when this is seen? It may be a good idea to open a case with SBSC for this.
Brandon, I just checked my purchase records and usually (as a Channel Partner) I buy SMARTNet on everything but somehow I forgot to get it on my ISA550. On one hand it's only $50 to get it covered but on the other it seems like people on these forums are returning their ISAs left and right because they're not up to snuff. Why pay $50 to get coverage on a device just so TAC can agree that it's broken?
Now I know how my customers feel sometimes...
PS I can definitely pull some logs though. Let me boot everything up and see what I can get.
1 year of phone support is included with the ISA500 series. Support is 8x5 (M-F 9am-6pm local time)
The contract gets you 3 years of support plus Next Business Day replacement if necessary.
Please call and open a case so we can help you get the issue resolved. Please reference this post when you call.
Marty, I had completely forgotten about that. Thanks for the reminder!
I'm thinking of starting a hosted/managed services practice within my business so I'm REALLY hoping the ISA550/570s stabilize in the next few firmware releases. I'd love to use them as our go-to WAN router!
Looking forward to opening up that case tomorrow...
Marty, I called the SBSC and they said my config looked fine. The only suggestion they had was to run a remote Syslog server to catch logs with
What is your case number? Normally, we like to get logs surrounding when this is seen along with System Diagnostics. Logs to a syslog server are good too as they can show what is going on leading up to when this is seen. Depending on what we see in the logs, we can look at other things, too.
SBSC Case 626677317
My engineer closed the case (with my permission) but said I could re-open within 10 days. I'll try to get Syslog up and going by tomorrow. Things have been running well for a couple days now so I'm due for another traffic failure pretty soon...