ASA 5516-X Intermittent Downtime
-
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
When you get the old one replaced or repaired, have it as a spare on the shelf or better yet set it up in a HA config.
-
@Pete-S said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
It's a low end Cisco ASA. Why would they want to buy another one of those when then could get 8 better performing Ubiquiti Edgerouter Pros for the same price?
-
@Pete-S said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
When you get the old one replaced or repaired, have it as a spare on the shelf or better yet set it up in a HA config.
Depends on cost of downtime vs cost of a new ASA.
-
@travisdh1 said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
It's a low end Cisco ASA. Why would they want to buy another one of those when then could get 8 better performing Ubiquiti Edgerouter Pros for the same price?
Because it's too much work to change when your under a time constraint. And you have no clue what kind of issues you are going to run into and how long it will take to sort it out.
And if they want HA, which it sounds like they should, Edgerouter is a no-go.
It can do VRRP but it can't sync connections or configuration so it's basically useless for anything mission-critical. -
@Pete-S said in ASA 5516-X Intermittent Downtime:
@travisdh1 said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
It's a low end Cisco ASA. Why would they want to buy another one of those when then could get 8 better performing Ubiquiti Edgerouter Pros for the same price?
Because it's too much work to change when your under a time constraint. And you have no clue what kind of issues you are going to run into and how long it will take to sort it out.
And if they want HA, which it sounds like they should, Edgerouter is a no-go.
It can do VRRP but it can't sync connections or configuration so it's basically useless for anything mission-critical.Where are you getting the need for HA from what @Jimmy9008 has said so far?
With the Edgerouters you buy 2, set the config for both and put the extra one on the shelf. If you can't afford 5 minutes of downtime, you shouldn't be using an ASA in the first place.
Edit: And with buying 2 Edgerouters, you still save tons of money on the purchase price!
-
@travisdh1 said in ASA 5516-X Intermittent Downtime:
Where are you getting the need for HA from what @Jimmy9008 has said so far?
From this: "Overnight around 3am, all office locations globally lose access to London".
And from this: "I get a call at about 4am"
5516-X is a midrange device. I've mostly used the older series but there is nothing wrong with the ASA. If it's fast enough for the WAN link, it will get the job done.
-
@coliver said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
When you get the old one replaced or repaired, have it as a spare on the shelf or better yet set it up in a HA config.
Depends on cost of downtime vs cost of a new ASA.
Cost of downtime would have to be INSANELY high to outweigh the cost of a new Cisco anything.
-
@Pete-S said in ASA 5516-X Intermittent Downtime:
@travisdh1 said in ASA 5516-X Intermittent Downtime:
Where are you getting the need for HA from what @Jimmy9008 has said so far?
From this: "Overnight around 3am, all office locations globally lose access to London".
That really doesn't tell us anything about the business need, which is what determines the need for HA anything.
From the little we know, the business already decided that they do not need router level HA.
And from this: "I get a call at about 4am"
This is more an issue with @Jimmy9008 not setting realistic expectations with management. If management signed off on having a single firewall, then he shouldn't be working on it at 4am.
-
@travisdh1 said in ASA 5516-X Intermittent Downtime:
If you can't afford 5 minutes of downtime, you shouldn't be using an ASA in the first place.
You mean it takes 5 minutes from the time something stops working until the users have noticed and told their manager, who then managed to get hold of the right people, and then in turn had to call the guy who could get the job done, who would be immediately available to commute or drive or take a cab to work and do the troubleshooting and finally replace the firewall?
-
@Pete-S said in ASA 5516-X Intermittent Downtime:
@travisdh1 said in ASA 5516-X Intermittent Downtime:
Where are you getting the need for HA from what @Jimmy9008 has said so far?
5516-X is a midrange device. I've mostly used the older series but there is nothing wrong with the ASA. If it's fast enough for the WAN link, it will get the job done.
You call that sort of performance a midrange device? The performance of that thing blows chunks. An ER-X is actually comparable! (I'm looking at the stats from https://www.serversupply.com/NETWORKING/SECURITY APPLIANCE/8 PORT/CISCO/ASA5516-FPWR-K9.htm?gclid=CjwKCAiA__HvBRACEiwAbViuUyJP0tx0HO8VIcuyQNsMpI6LeD0m_1d1X0GTUAV9heQJUGX0dyap2xoCqGIQAvD_BwE)
-
@travisdh1 said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
@travisdh1 said in ASA 5516-X Intermittent Downtime:
Where are you getting the need for HA from what @Jimmy9008 has said so far?
From this: "Overnight around 3am, all office locations globally lose access to London".
That really doesn't tell us anything about the business need, which is what determines the need for HA anything.
From the little we know, the business already decided that they do not need router level HA.
And from this: "I get a call at about 4am"
This is more an issue with @Jimmy9008 not setting realistic expectations with management. If management signed off on having a single firewall, then he shouldn't be working on it at 4am.
On the contrary, it tells us a lot about the business needs. Since the business decided to call him in the middle of the night, someone decided the firewall was important enough for them to do that, instead of waiting until the morning.
Maybe nobody brought up the HA option when the firewall was put in place or the need wasn't there at the time.
-
@travisdh1 said in ASA 5516-X Intermittent Downtime:
You call that sort of performance a midrange device?
No, Cisco calls the ASA 5500-X Series a "next-generation midrange security appliance".
And the most obvious thing here is - how fast is the WAN link?
Performance doesn't matters if the link isn't faster than what the firewall can handle. -
@coliver said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
When you get the old one replaced or repaired, have it as a spare on the shelf or better yet set it up in a HA config.
Depends on cost of downtime vs cost of a new ASA.
Unless the ASA is like $50K, it's likely much less in almost all cases - that said, i still RARELY hear about anyone in the SMB space having a spare, let alone a HA config.
-
@RojoLoco said in ASA 5516-X Intermittent Downtime:
@coliver said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
When you get the old one replaced or repaired, have it as a spare on the shelf or better yet set it up in a HA config.
Depends on cost of downtime vs cost of a new ASA.
Cost of downtime would have to be INSANELY high to outweigh the cost of a new Cisco anything.
Downtime is generally either costless, or insanely high.. it's rarely a middle ground.
For example, in my case, for the surgical side - it's super high because all new surgeries stop until the system is restored. But on the clinic side - it's nearly costless because we just convert to paper and scan documents in later when the system is back online. otherwise we see patients as normal.
-
@Dashrender said in ASA 5516-X Intermittent Downtime:
@coliver said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
When you get the old one replaced or repaired, have it as a spare on the shelf or better yet set it up in a HA config.
Depends on cost of downtime vs cost of a new ASA.
Unless the ASA is like $50K, it's likely much less in almost all cases - that said, i still RARELY hear about anyone in the SMB space having a spare, let alone a HA config.
Don't forget the additional cost for having an active service agreement (you already overpaid for shitty hardware, now give us more blood money so your shitty firewall keeps working... shittily).
And also, in case I hadn't mentioned it already.... FUCK CISCO.
-
@travisdh1 said in ASA 5516-X Intermittent Downtime:
This is more an issue with @Jimmy9008 not setting realistic expectations with management. If management signed off on having a single firewall, then he shouldn't be working on it at 4am.
I think this is overstating it. Nothing wrong with him being oncall for a problem like this. it's the situation where he can't afford 5 min of downtime that would move to the HA setup...
-
@Dashrender said in ASA 5516-X Intermittent Downtime:
@travisdh1 said in ASA 5516-X Intermittent Downtime:
This is more an issue with @Jimmy9008 not setting realistic expectations with management. If management signed off on having a single firewall, then he shouldn't be working on it at 4am.
I think this is overstating it. Nothing wrong with him being oncall for a problem like this. it's the situation where he can't afford 5 min of downtime that would move to the HA setup...
I'm with you here. The oncall bit is their recovery operation. Nothing about him being called in at 4AM tells me they need HA.
-
@RojoLoco said in ASA 5516-X Intermittent Downtime:
@Dashrender said in ASA 5516-X Intermittent Downtime:
@coliver said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
When you get the old one replaced or repaired, have it as a spare on the shelf or better yet set it up in a HA config.
Depends on cost of downtime vs cost of a new ASA.
Unless the ASA is like $50K, it's likely much less in almost all cases - that said, i still RARELY hear about anyone in the SMB space having a spare, let alone a HA config.
Don't forget the additional cost for having an active service agreement (you already overpaid for shitty hardware, now give us more blood money so your shitty firewall keeps working... shittily).
And also, in case I hadn't mentioned it already.... FUCK CISCO.
sure - but still, compared to downtime that actually costs money - you're likely talking about $100's of thousands.
Plus, nothing says you have to do Cisco HA, there are other options.
-
@Pete-S said in ASA 5516-X Intermittent Downtime:
@travisdh1 said in ASA 5516-X Intermittent Downtime:
You call that sort of performance a midrange device?
No, Cisco calls the ASA 5500-X Series a "next-generation midrange security appliance".
That makes more sense. Just about every networking company calls s*** hardware "state of the art". At least Ubiquiti tells you what the box can actually do.
And the most obvious thing here is - how fast is the WAN link?
Performance doesn't matters if the link isn't faster than what the firewall can handle.I don't care, it's an ASA, therefor by definition was way to expensive, and is way to expensive to keep operational. @RojoLoco's blood money. Better to replace the thing so soon as the current support agreement runs out.
Let me repeat, the hardware is fine. It's the purchase price and ongoing pay to keep it working that is the major issue with all Cisco ASA anything I've worked with.
-
@travisdh1 said in ASA 5516-X Intermittent Downtime:
Better to replace the thing so soon as the current support agreement runs out.
Not sure I agree with even that - replace with UBNT now, toss a spare on the shelf, and have less worries, concerns going forward.. no waiting on the cisco repair crew.
