There is a newer firmware version available for the SA500 series product and its not beta! For some oddball reason its not posted on the site but tech support emailed it to me.
Message was edited by, Cindy Toy, Cisco Small Business Support Community Manager: This f/w was removed since it is beta. Please call the Cisco Small Business Support Center if you would like to receive a copy of this beta version: http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html#csb
Can you please let me know what issues are addressed in this Beta as I have a SA 520W that I am about to RMA to CDW as this product is not performing the VPN function as I had intended it to when I purchased it.
I would like to stick with Cisco and this product but sse no resolution to my problem. My intention is to RMA this device and purchase a Sonic Wall appliance.
Many issues will be fixed in the upcoming release which will be available in a week to or two.
Release notes will be posted along with it where you can see what issues have been fixed.
I recommend you to try that firmware to see if it resolves your problems.
Thanks and Regards,
As I said I am considering returning this device as I am on a clock that started when I purchased this device from CDW. If I am to apply for an RMA and get an authorized return I have to do it within the next few days as I have been trying to resolve VPN issues with tech support, who by the way had no idea there were firmware issues. If the VPN issues I am having appear to be fixed in the new version then I would consider risking the wait.
If I can get the release notes I could make a decision as to if I should keep and fix this device or RMA it and go with another vendor.
If there is any possiblity of getting the new firmware as well that would be great. You may email it to me at this account address. Please include a digital signature if you send the firmware.
Please open a case with the Small Business customer support and ask for the beta firmware to test.
Please let them know your urgency.
I have a ticket open and they were unaware of any firmware updates, beta or otherwise. The ticket is SR 613888825. As I said I am on the clock.
I looked up your case number 613888825. Please call the SBSC at 18666061866. Your case is not in our que or our escalation team que and we are the ones that work on this device. If you call in we can see about moving it into our que for escalation for the beta firmware.
Sorry, I referenced the original nicket I had when I began my configuration and I dentified a couple of issues. The VPN issue I had that got escalated was 613944183. I never recieved a call back on it either. I finally called back myself.
Al this is a little to little to late. I have arranged a RMA from CDW for the SA 520W. In my opinion this is not a Small Business or Pro rated device. It is mearly a Linksys router with a stronger radio installed amd really not that much stronger.
My issues with this began shortly after I purchased. It was purchased for a client that I have been working with for at least eight years, fortunate for me since I have had such a long relationship with this customer he is also a friend and understood my issues. Understanding also that I do small business IT support part time in the evenings. Mt day job is a Security Engineer for a large Government organization. The first issue I ran into was with the wireless. That all being said the small business network I was working on has a Microsoft SMB Server 2003 R2 domain and integrated active directory. The IP subnet integrated with AD is the 192.168.1.0 network. As the Internet Gateway the network had a Symantec Small Business Security Appliance. Over a year ago Symantec got out of the Security Appliance business and I thought it time to replace it and get something that had a more robust support community. The Symmantec Appliance did Firewall and VPN very nicely. The Symantec VPN client was proprietary but worked very well creating a secure tunnel and assigned that tunnel an actual IP address on the small business network. So wanting to get something with a good suppport community and in the line of a Small Bussiness or Professional Grade Security appliance. I found the Cisco SA 520W. I was also looking at deploying wireless for the Small Bussiness so this sounded perferct. Like I said before in my day job I work for a big organization we use many Cisco products the and have invested in larger ASA VPN servers, routers from the 5000 series all the way to the newer data Center Nexxus 7000 series. So I thought I could not go wrong with the SA 520W Small Bussiness Pro.
I assumed incorrectly. The first time I plugged it in out of the box I proceeded to upgeade the firmware to version 1.1.21. That went well. I proceeded to configure it and notice some things that concerned me. I the interface is almost identical to the Linksys I use at home. Second there was no evidence of a deny by default rule in the firewall for traffic coming from the WAN port. That is a bad idea. even enterprise firewalls come out of the box with that.
I placed my first call to tech support because the Wireless would connect but I could not get an IP adress from my DHCP server on the SMB Server on the 192.168.1.0 network. I spent several hours working with tech support. I must say the tech support that you get on the phone has been the only shining light in all this, that and the response in the forums. Anyway we spent a lengthy time on the phone (that was the first teccket number I gave, sorry for the error.) with no answer to my problem and it was escallated. I never heard back. Although the next day I figured out the problem. The wireless clients are by default added to VLAN 25 on SA not the default VLAN 1. Routing by default is turned off between VLAN 25 and 1. After I turned on routing and DHCP forwarding it worked fine. I eventually decide to delete VLAN 25 and after I figured out how to do that the Wireless clients then automatically joned on VLAN 1 and did not need DHCP forwarding.
Problem 1 fixed no thatnks to Cisco tech support.
Next I tried to configure the VPN. As I said I use the network 192.168.1.0. The SA 520W when following the instructions included with SA. It all went fine until I went to add user to the VPN User Database and selected QuickVPN. It gave me an error that included some message about this was not acceptable and that it was changing the LAN gateway address to 10.x.y.z. And you need to answer yes or no to this. If you answer no the User is not/willnot be added to the database. If you answer yes the SA reboots and you loose connect to the SA and the ability to connect to it again on the 192.168.1.x address. I assumed from the error that I would be able to connect on 10.192.1.x. Not so. I later found out it is 10.50.54.1, where does that get pulled out of? I found none of this information in the SA 520W documentation, admin guides, or forums. I found this disturbing, for a small bussiness device this is unaccepatable.
Anyway I found out that Cisco engineers had disabled the use of the 192.168.1.0 network because the QuickVPN software writers had detmined the IP network was to common. I did not understand this until later. I open another ticket for this issue 613944183. It was escalated. I never head back on this as well. Again I found none of this information in the SA 520W documentation, admin guides, or forums, again disturbed.
I though I figured out a work around on my own. I reconfigured the SA using the default IP address from the SA as VLAN 1 and created VLAN 2 with the 192.168.1.0 network and an apropriate default gateway. And then enable routing between the networks. This all worked fine. I then went back created the VPN polices as directed in the admin guide. Then went and added a user in the VPN User Database. It worked. I thought great. I am on my way. Not so.
What Idiscover then again with a call to the Tech Support line after and hour of trying, that QuickVPN does not support this. QuickVPN does not assign an IP address to your local client VPN host on the remote network. It does something similar to IP bridging. and will only talk to the Default VLAN, VLAN1. Unable to talk to any devices on any other VLAN. Why have VLAN capability then? Again none of this in any documnentation any where. Thus in my opinion rendering the SA 520W useless.
Again I must say the features of the SA 500 series as I see them are those of a device ment for the home user market, not a professional or business solution by any means. As a small bussiness support provider I will not be using this series again. I may use an ASA 5500 series, but never these. The only solution in this line and market is the SonicWall TZ 210. In the documentation for the SonicWALLl it specifically says what and how it supports each one of the issues
I mentioned. I will be more careful when buying this kind of solution in the future and will not make this mistake again.
May I suggest you advertise the limitations of these devices in the documentation, provide beter support, and not market these for a business solution.
Thanks for you time and effort. Thanks for reading this if you do. Maybe somebody can learn from my mistake. Maybe Cisco will improve this product. I certainly feel better getting this off my chest.
R. T. Koch, CISSP
Without going into too many details about the firmware before the release notes come out, there were a few VPN bugs that are being fixed in the new release.
Well when I got this updatd firmware from Tech Support they told me that is was not beta and that they were not allowed to give me the beta version. Thanks for taking the time to clarify my error.
I tried this and it doesn't fix the VPN issues. Since there are no ASA's available from disti's anywhere, we have become a Sonicwall partner and will now be selling that product instead. We lost a lot of face with clients recommending this device as well as other cisco small business products. If you have been struggling with this for a while, I'd recommend cutting your losses and going with another manufacturer. We will continue to push high-end switching, routing, wireless, and voice, however this small business stuff is just not ready for market.
Can you give me more information on the VPN issues you found with 1.1.36 firmware?
We are fixing all major issues reported and trying to deliver better quality firmware in a short time (1 week or so).
98% CPU usage on two site to site tunnels with no traffic. Pretty much the same behavior as any release above 1.0.17. Web interface usually locks up, the the unit reboots itself eventually.