MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
 ·North State Commun..
 ·Corporate Colocation
| [H/W] Cisco pfSense Replacement?
Hello all,
We're a growing ASP who hosts about 15 servers hanging off a 100Mbps connection in a data center. The servers range from Web Application Servers to an internal Exchange email server.
Right now, our main router/firewall/IDS is a dedicated IBM xSeries 306m running pfSense w/ Snort for IDS.
I'm am tired of "tweaking" this damn box and having to fix things that should Just Work™. Snort is the major PITA right now, but I'm also having trouble with the firewall blocking outbound connections because we apparently generate more connections than an internal threshold allows, but no one can tell me what that threshold is. (We do stock market transactions, so when a client logs into our app, we might generate anywhere from 100 to 300 outbound connection requests to our data provider, per login.)
We don't have a ton of money, but I'd like to move to a Cisco all-in-one box that will replace our pfSense box, be more reliable, and provide the following must-have features:
• Transparent Firewalling
• Intrusion Detection System w/ Automatic Blocking
• IPSec VPN (Inbound to RRAS Server) Passthru Capability
• Web-based configuration management and reporting of IDS, firewall logs
Does Cisco offer a product that can do this? Is the sticker shock going to make me spit my coffee on the screen? I could forgo the transparent firewall if 1:1 NAT is supported VERY well.
Thanks for any insight you can offer. |
|
aryoba
Premium,MVM
join:2002-08-22 | ASA 5510 firewall or 2811 router comes to mind ...  |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
| said by aryoba  :ASA 5510 firewall or 2811 router comes to mind ... I'm reading up on the ASA 5500 Series now actually.
Since we don't have any users behind the box and will use it as a firewall for our servers, do I need to worry about the number of users? What about the IPSec VPN peers?
»www.cisco.com/en/US/prod/collate···ba8.html
All of those seem to be in my price range. Do any of those include the AIP (»www.cisco.com/en/US/products/ps6···dex.html) module? I'm guessing no? |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Netcong, NJ | reply to MattE
While you're waiting on the replacement, bump up the state table and make sure you're running the latest 1.2 release. (System->Advanced-Firewall Maximum States)
How many state entries are you peaking at now? |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
| said by sporkme :While you're waiting on the replacement, bump up the state table and make sure you're running the latest 1.2 release. (System->Advanced-Firewall Maximum States) How many state entries are you peaking at now? Nowhere near the 10000 limit. I've never seen it higher than 800 states, with 2-4% CPU usage and like 4% memory.
And yep, this is the latest 1.2 release. It was just installed 2 months ago or so. |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC | reply to MattE
I'm being told that the ASA doesn't support forwarding the correct protocols/ports to a MS RRAS server for IPSec/L2TP VPN capability. I am being told I HAVE to use the Cisco VPN client and the ASA as the client VPN endpoint.
Is this true? |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Netcong, NJ
| reply to MattE
said by MattE :Nowhere near the 10000 limit. I've never seen it higher than 800 states, with 2-4% CPU usage and like 4% memory. Something is amiss then if every client login causes 300 outbound connections and you don't peak over 800 states. Just a handful of logins should bring you near the 10K default max - the state entries linger a bit.
It certainly wouldn't hurt to bump that up to 50K or so to see what happens while you wait on the new hardware. |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
| said by sporkme :said by MattE :Nowhere near the 10000 limit. I've never seen it higher than 800 states, with 2-4% CPU usage and like 4% memory. Something is amiss then if every client login causes 300 outbound connections and you don't peak over 800 states. Just a handful of logins should bring you near the 10K default max - the state entries linger a bit. It certainly wouldn't hurt to bump that up to 50K or so to see what happens while you wait on the new hardware. It actually happened again today. I'm talking with our developer now and it appears there is "retry logic" in the code that retries in a 5 batch loop, INDEFINITELY, if there is any sort of error. I think that is triggering the outbound issue.
I was on the FW when it happened today and the states were hovering around 450, then the firewall log went crazy blocking connections outbound to the same individual destination IP from 2 of our servers. |
|
