Going to put down the trusty old PIX 506e and considering replacing it with a SA540. Are there any know VPN configuration 'gotchas' on the SA540 when the IPS assigned WAN address is static pppoe?
I don't know about the configuration you are talking about but there are plenty known issues with the SA540 in general that aren't fixed. And I'm not sure it is a product that you should be considering right now. I have an open ticket that doesn't look like it will be resolved any time soon (its been a week for the Escalation team to come back and ask what modem I'm using) it is for the inability to connect to a 10MB full duplex line on the WAN port. But as I test it I'm running into other issues like the SSLVPN client not working with Windows 7. This is just a word of caution when looking at this product.
We are working on both of the issues with 10Mbps interfaces on the WAN and Optional port. The next release will have support for SSL VPN on Windows 7.
If you're looking to run any form of VPN I can strongly say DON'T go for any of the SA500 devices yet. They can at best be considered an immature product, and at worst a complete joke.
You will not have access to PPTP or Cisco VPN that you can currently run on your 506e. The only "supported" client right now is the Cisco/Linksys QuickVPN...and it is a major step down from the Cisco VPN client. The VPN setup is rather clunkly, and I've seen many many reports of bugs and performance problems with no solutions posted at all.
If you're in need to replace your 506e, go up to the ASA5505....its a fantastic product that can do everything your 506e can do plus more...
I agree that these are a paperweight at best. We traded in a Fortinet that worked for us for 6 years without fail and now witht he SA540 trying to connect to the Cisco in our data centre we are rooted. wasted over 40 man hours trying to get this working only to find others have identical issues. Only bought becaseu there is a 2 month backorder on the ASA that we wanted.
Upgrade to latest firmware 1.1.21 also with no change. WAN port drops (20M/20M link), deive hangs (can't even ping internally and have to reboot after 5 minutes.
We have fixed majority of VPN fixes found and reported by you.
We have also fixed other issues concerning WAN, IPS, etc.
We are currently testing the firmware and it looks good.
I recommend you to try this release which will be posted in a week.
Appreciate your feedback and support.
Thanks and Regards,
Quite agree with many feedback. This product is not mature enougth !!!
Something not working ... please wait for new firmeware :-(
VPN Clients not working very fine .... At this time, we are looking for other product.
Few docs are pretty well written (
https://www.myciscocommunity.com/docs/DOC-15592) but only a workaround !
Please, CISCO teams focus on this product or stop it.
Stephane- I was never able to get the Shrew VPN to work with the SA520 we are testing. I think the way to go is with the ASA series for now.
I did, that's why I started this thread: https://www.myciscocommunity.com/message/43742
It just doesn't work for me. I can set up an ASA in 15 minutes, these "easier" SA units....not so much.
We just got one of these a few days ago and I've been fighting with it for the past day. We have an ancient SonicWall that we want to retire. It was a snap to configure. This SA540 doesn't work no matter what I do. CLient can't connect with generic "there's something wrong" error. We only want it for the VPN features, everything else is useless to us, and the one thing we need it for it can't do. And now I'm supposed to sit here and wait for new firmware so that it will work? Pathetic.
I hope CISCO will do best effort to get a real VPN feature on this box.
my old IPCOP is working better than the SA540 and cost less !!!
I can tell you I just couldn't wait the 2+ MONTHS for the potential fix on this product. We had to just have egg on our face with every client we installed one of these for... I'll never get back all the wasted man hours my team put in for this joke of hardware. I knew I wasn't alone when I called our disty about RMA'ing each of these units and they didn't even bat an eye....I'm guessing I'm not the only one that sent these units packing.
We ended up replacing these units with CIsco 871W and the new 861W routers....IOS based and they just work. They lack the Web VPN....but well, in my mind the 540 didn't either :). I have had great results in using the Shrewsoft VPN client with the 800 and abolve level routers as a work around for 64bit users on the IPSec platform.
Honestly my faith in the SMB arm of Cisco is very shaken right now....I will be hard pressed to ever consider recommending anything in this product line to another client.
After posting my rant, I went to check for firmware again even though I just upgraded from 1.0.15 to 1.1.21 4 days ago. Lo and behold, new 1.1.42 firmware is there. I'm hoping this fixes all the problems everyone has been complaining about. I'll know myself soon enough.
OK, so I've applied the new firmware (1.1.42) and it's somewhat better but still doesn't work. With the old firmware, it gave me the generic error message upon connection attempt. Now it will connect and go through the motions of authenticating (Activating policy... Verifying network...) but then bombs out with a "Remote Gateway is not responding. Do you want to wait?" error. If I choose to wait, it just comes back with the same thing again and again. The log shows that it failed to ping the remote VPN router several times. If I can't get this going by the end of today, I'm just going to box it up and send it back. I don't have the time to play around with this stuff, and I'm not going to wait a few months until the next firmware update. Another point of interest: my test system is a laptop running Vista. Just in case, I also rigged a Windows Server 2003 box with the same network settings so I can just swap the network cable back & forth between them to test (wall port is connected directly to our external switch so these test systems are live on the net with a public IP.) The WS2003 box still gets the "something's wrong" error while the Vista box gets to the "Remote Gateway is not responding." stage. I don't like how it behaves differently depending on which system it's running on.
Can you check the below on your PC.
Thanks for your reply, Biraja.
On my WS2003 system, Firewall is on and IPSEC is running. This system errors out right away when trying to connect.
On my Vista system, the firewall was off (I had read conflicting documents about whether the firewall should be on or off.) When I re-enable the firewall, I can now get to the stage where it thinks it's connected although the status panel does not tell me if I've been assigned an IP address or not. ipconfig /all doesn't show me anything useful. I cannot RDP to any of the systems on my network either by name or IP address. This Vista system also has a SonicWall VPN client installed on it. I had read that there is a chance it can conflict with the QuickVPN client but I do not know for sure and don't want to upset the settings of the SonicWall client unless I really have to.
Edit: Even though it appears connected, the log shows that it still can't ping the router.
Well, I've wasted enough time on this. It's going back in the box and back to our supplier. An old SonicWall that hangs 2-3 times a week is still infinitely more useful than this piece of non-functional garbage.
Good luck lads. If anyone of you can get thisstupid thing working, you're a better man than I.
Our saga continues with cisco trying to help but things go from bad to worse. Our unit now freezes after 10 to 15 minutes when sitting on the test bench with only a lan cable connected on. Firmware 1.1.36.
Upgraded to firmware 1.1.42 and now the LAN interface won't come up! Perhaps cisco had a bad manufacturing batch, but this product I would not recommend to my most hated enemy
Hi Cisco team,
Can you tell us when will a a real solution be available to connect any king of host (XP,Vista, Seven, Linux, 32/64 b) using VPN ?
In order to get a full security policy we need a real VPN client, getting a IP for each client (dynamic of tath can be fixed).
We have either Microsoft and Linux clients.... any solution ?
Should we stop using such a product ?
I've already wasted 3 days on this nonsense and have given up. My boss is more stubborn, and spent 3 hours on the phone with a tech from the reseller we bought it from, and between them they couldn't get it to work. When I mentioned ot him that the time he wasted working with the thing was worth more than what the router cost, he wasn't very happy. And here it sits. I'm sure it will be boxed up and returned this week, unless the boss needs a new, expensive paperweight.
Still haveing problem with this device ...VPN does not work on Windows 7 64b, no solution for Linux ...
let's send back the device to vendor or do Cisco wish to honor the label ...
Do anyone think work is done on SA5XX
really start to be fade up with this !
Oh GREAT! I just quote a client a bunch of them!
I went through nightmares like this with some linksys voice products and almost took out my Company.
Cisco please speak up here! I've been to 3 Cisco seminars in the last month and they all touted these boxes. I DO NOT want to make a mistake again, just tell us if these are ready for production system or not? I will not beta test production products for Cisco again.
We changed our quote from 5510's to SA 540's for the SSL VPN and the clients were happy with the cost changes, but if you can't deliver 5500's and the SA 500's are not ready for customers, we will have to re-quote with ISR's
Hi Bob, Trust me on this one...there is no way on this earth you're ever going to see these SA540's even get within a whisper of touching the levels on a 5510 with web VPN, even if they're were not the buggy POS's that they are.
I'm going through the same pains...been on many a webinar with the SEs from Cisco talking about how great these SA540s are....but they obviously have to real experience with them. If I were you (and I might as well be, I've been in the exact same boat for a couple of months with some of my clients) I would STRONGLY advise you do not try and use the 540 as a replacement for an ASA....you and you're client will be extremely pissed with the results. If your clients needs are large enough to require a 5510 nothing in the SBM space would be an adiquate substitue anyway.
As a SBM Select reseller of many years I cannot say how DEEPLY disappointed I am in Cisco right now. Between having firewalls on back order for three months, lack of taking ownership of the many problems, and just plain lying about this product, I'm beginning to question how much longer I can recommend them to my client base.
Right now the best (Cisco based) option I could recommend is to replace the units with Cisco IOS routers for your web VPN options. Keep in mind, Cisco has recently changed to a licensing model for WebVPN even on the IOS routers...so you'll want to check out that SKU for your quotes
Our cisco is on the way back with an rma and we are hoping to revert to an asa unit which is what we were originally sourcing.
It does appear that the product is in the early stages and it has some great potential. I agree though that there appear to be too many issues on what it a relatively simple device.
Yes, it certainly is stunning that these were released when nobody in the real world can get them to work.
Anyone know where I can get an ASA 5505? That's what we originally wanted but could not find.
If you find a source share with the class! I've been searching high and low for months with no luck. I have 1 ASA5505-50 user remaining in stock that I'm holding onto as if it were made of gold right now.
- Chad Monteith
We think we might have a workaround for the QuickVPN client issue. It's not very practical and I'd like to see if anyone else can make it go. What we did was, on the external system that you're trying to VPN from, you need to change your gateway address to the LAN address of the router after you have connected via the QuickVPN client.
Last night we decided to try the SSL VPN functionality and we've got that working OK, although I really don't like using Internet Explorer if can avoid it. It's only the QuickVPN client that seems to still have problems.