[c-nsp] Trouble in an ASA migration from CheckPoint

SHAM SHARMA wisesham at gmail.com
Mon May 11 14:01:56 EDT 2009


we just moved to ASA's from checkpoint

- CPU Spike bug is confirmed by cisco .. tht has brought our network
down 3 times so far ...currently we are running 8 0 (4) 28 ... now
cisco is releasing 8 0 (4) 32 and they confident they have fixed cpu
spike issue in it ..

- plus doing changes from ASDM features are not as good as of checkpoint
like u cannot search host/source ip's

users complaining some of the application has become slow after we
shifted to ASA's

it has behaved few times so differntly .. that we are scared of
logging into ... its so un-reliable ..edit a network object and next
moment.. it dies ...

first impression is same ..good marketing but not a solid product



On 5/11/09, Marcelo Zilio <ziliomarcelo at gmail.com> wrote:
> Hi Sham,
>
> I've been working with Cisco Firewalls for the past four years and until now
> they always worked well for me.
>
> The old PIXes before version 7.x really leave to be desired, but the new ASA
> have been greatly improved.
>
> However I have to agree with you in some points (using a lot of public IPs
> in this particular case).
>
> To compare different brands its complicated. There will always be advantages
> and disadvantages in using one or other.
>
> Thanks and regards
> Marcelo
>
> 2009/5/11 SHAM SHARMA <wisesham at gmail.com>
>
> > Agree .. Cisco still has long way to go match with Checkpoint
> >
> > You will notice it as you will go with this transaction .... You will
> > endup in using more public IP's ... finding lot of bugs ... helping
> > Cisco not vice versa
> >
> > Sorry but tht's utter truth ...
> >
> >
> >
> >
> > On 5/11/09, Rubens Kuhl <rubensk at gmail.com> wrote:
> > > On Mon, May 11, 2009 at 10:11 AM, Marcelo Zilio <ziliomarcelo at gmail.com>
> wrote:
> > > > Hi Rubens,
> > > >
> > > > Thanks for your response.
> > > >
> > > > I'm sorry, but I didn't understand what you meant...
> > > >
> > > > Remember IPs 200.1.1.1 and 190.1.1.1 are Internet address and I cannot
> > > > control their DNS resolution.
> > >
> > > Yes we can! :-)
> > >
> > >
> http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html
> > >
> > > In effect, you would answer based on the IP address of the DNS
> > > recursor and not the client itself, but if we are talking big /8s,
> > > that usually has a strong correlation.
> > >
> > >
> > > Rubens
> >
> >
> >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
>
>


More information about the cisco-nsp mailing list