[c-nsp] Trouble in an ASA migration from CheckPoint

Peter Rathlev peter at rathlev.dk
Mon May 11 16:44:56 EDT 2009

On Mon, 2009-05-11 at 14:01 -0400, SHAM SHARMA wrote:
> - CPU Spike bug is confirmed by cisco .. tht has brought our network
> down 3 times so far ...currently we are running 8 0 (4) 28 ... now
> cisco is releasing 8 0 (4) 32 and they confident they have fixed cpu
> spike issue in it ..
> - plus doing changes from ASDM features are not as good as of checkpoint
> like u cannot search host/source ip's
> users complaining some of the application has become slow after we
> shifted to ASA's
> it has behaved few times so differntly .. that we are scared of
> logging into ... its so un-reliable ..edit a network object and next
> moment.. it dies ...
> first impression is same ..good marketing but not a solid product

I would tend to disagree. I have no operational experience with the 8.x
release, but for us the 7.2 release for ASA and the 3.1 release for FWSM
have been extremely stable and without any problems across several
systems. They aren't doing anything fancy of course, just firewalling,
NAT and IPSec VPN. I personally don't use as ASDM but those of my
colleagues that do have not experienced and problems with it. I would
even go so far as to say that I am impressed with how nicely it treats
the configuration, leaving it in a usable state after editing.

Release 8.0 may not be the very latest, but it's not very old either and
as Tony implies running an interim release might not be the best way to
achieve stability.

Maybe the ASA platform is not the most flexible around but is does
follow some logic. In an operational context I'd personally prefer a
more flexible system (like netfilter), but if I were to design something
new that someone else had to support I would go a long way to avoid a
setup like what OP describes. Just as I would try to avoid PBR unless it
was really unavoidable.


More information about the cisco-nsp mailing list