 train_wreckslow this bird down
join:2013-10-04
Antioch, TN
Cisco DPC3939
2 recommendations |
[Config] Heads Up: Cisco disables FirePOWER in 5506 & 5512 - ASA 9.10/FTD 6.2.3Like the title says. Cisco has decided to disable the FirePOWER module on the 5506-X and 5512-X in the latest versions of the firmware (9.10 on ASA, 6.2.3 on Threat Defense). The release notes mention "memory constraints". Note that it removes the related FirePOWER configurations, so if you downgrade to get Sourcefire back you will need to re-configure.
Kind of stinks for people with these devices, since it largely erases the "security" features that make them worth buying, but then again the performance for FirePOWER services was never great for anything but the smallest of networks. I wonder if an EOL for these devices might be coming soon? |
|
1 recommendation |
said by train_wreck:I wonder if an EOL for these devices might be coming soon? Or a new hardware version with a better processor/ASIC's... |
|
| |
to train_wreck
Thanks for the heads up, just to ask there an official link for this, just out of curiousity train_wreck  ? And while I get it for the 5506X and a dinky little Atom CPU, an Intel Clarkdale CPU can't handle ANY sort of IPS duties? » community.cisco.com/t5/s ··· /3665136 -- CPU reference guide for the ASA / ASA-X line here. Regards |
|
|
train_wreckslow this bird down
join:2013-10-04
Antioch, TN Cisco ASA 5506
Cisco DPC3939
1 recommendation |
I saw it in the release notes for ASA OS 9.10 » www.cisco.com/c/en/us/td ··· 910.htmlsaid by the notes :No support in 9.10(1) for the ASA FirePOWER module on the ASA 5506-X series and the ASA 5512-X—The ASA 5506-X series and 5512-X no longer support the ASA FirePOWER module in 9.10(1) and later due to memory constraints. You must remain on 9.9(x) or lower to continue using this module. Other module types are still supported. If you upgrade to 9.10(1), the ASA configuration to send traffic to the FirePOWER module will be erased; make sure to back up your configuration before you upgrade. The FirePOWER image and its configuration remains intact on the SSD. If you want to downgrade, you can copy the ASA configuration from the backup to restore functionality. And RE: the larger CPU device, they say it's due to memory limits, not CPU. Sure would have been nice to have upgradeable RAM then.... |
|
| |
to train_wreck
Hmm, interesting. Thanks for that train_wreck . And yeah, totally agree WRT the memory issue. Regards |
|
| |
to train_wreck
I smell a potential lawsuit from some customers on this move.
A lot of people bought these models for smaller locations to have the visibility of FirePower. |
|
train_wreckslow this bird down
join:2013-10-04
Antioch, TN |
TBH I was thoroughly unimpressed with FirePower. I was able to compare it directly with a Fortigate 30E in front of my mail server, and the Fortigate blocked way more threats, and was considerably faster as well. |
|
| |
Guessing this was an ASA5506X v the Fortigate30E train_wreck ? Or a higher end model ASA? And just to ask, got any perfgraphs of performance of the two, if they aren't under NDA? Regards |
|
train_wreckslow this bird down
join:2013-10-04
Antioch, TN Cisco ASA 5506
Cisco DPC3939
1 recommendation |
Yeah, a 5506-X vs Fortigate 30E. The Fortigates really are slick devices. I don't have any graphs available, but I do remember enabling SSL inspection and getting bandwidth of around ~90mbps. Pretty damn good for a device in this price/feature range. I tend to find that Fortinet is much more honest than Cisco on their data sheet perf estimates. |
|
| |
Ahh rats! I'd've loved to have seen them if you had some available. Thanks for the POV on the 30E. Good to know... Regards |
|
| |
to train_wreck
I agree with train_wreck on the Fortigate analysis. I swapped from ASA to Fortigate a while ago. I'm not seeing anything from Cisco that will convince me to return to the fold. |
|
Juniper SRX240
Ubiquiti UniFi UAP-AC-PRO
|
said by markysharkey:I agree with train_wreck on the Fortigate analysis. I swapped from ASA to Fortigate a while ago. I'm not seeing anything from Cisco that will convince me to return to the fold. It is so nice to see people say this... The "buy Cisco because its safe" mantra so oft encountered in IT is tiring. I just switched jobs to an unabashed Cisco shop (ASAs, Firepower, UCS, Nexus and now, sadly, ACI) after having worked in two Palo Alto shops. I feel like I've lost all sorts of visibility and the interface, featureset and product seems a couple years behind what I am used to with Palo Alto. Sadly, I doubt features and performance would sway them, especially when the TAM walks in a drops a massive discount. |
|
1 recommendation |
to train_wreck
WOW! So from the start the 5506 had no switching capabilities then introducted with other fw. Now they deactivate firepower services due to memory issue. And if you buy the SEC version you pay 900 Euro!
Cisco for me is really good for manuals, certifications and lessons about networking and their switches top models but for other products was and is not so "big".
Passed years to choose the right firewall for me and defences more then a simple packet inspection and choose always other brands for the cost and the features provided!
They introduces new ISR routers for example, the 1100 series is good but the new 900 series? you seen throughputs? We are in the 2019 year, there are day by day less adsl and more vdsl2+ of better ftth, also for home users.
Cisco ASA new series, when and if will ever release them, need a serious upgrade with an ideal start throughput with all FIREPOWER services activated from 500 Mb/s and prices adjusted to the bottom, Cisco is no more so best buy for a lot of products and the first thing I mean is not the prices, but the features and performance!
Trump, if you will beat China, you must admit USA are no more the top of the world, companies must do that as soon as possible or they become the old China. You must innovate and no more continue to seat counting money cause they'll not arrive as in the past. |
|
cramer
Premium Member
join:2007-04-10
Raleigh, NC Westell 6100
Cisco PIX 501
1 recommendation |
cramer
Premium Member
2019-Feb-12 5:21 pm
And they aren't even that good at teaching networking concepts anymore. They teach you The Cisco Way(tm), which is not always the best, or even correct, path to a solution. Their hardware has become too much common merchant silicon (read: broadcom chips) that's the exact same across the industry -- and everyone else is MUCH cheaper. |
|
1 recommendation |
to train_wreck
said by hardstyler:but the new 900 series? you seen throughputs? The 900 series industrial routers? Is that what you mean? And this was mentioned over here, so I'm copy/pasting it -- » [H/W] Cisco ISR1100-series, anyone heard of these?said by tubbynet:pick your poison: uncapped performance that dovetails as certain features are enabled and then you're left guessing why you can't run all out with all services on a 400meg/s commit line -- or artificially cap the box at a limit that makes sense from a portfolio/price/performance perspective that gives you predictable performance across the entire feature curve.
you can't have it both ways. *shrugs* said by hardstyler:Cisco ASA new series, when and if will ever release them, need a serious upgrade with an ideal start throughput with all FIREPOWER services activated from 500 Mb/s and prices adjusted to the bottom The sense I get is ASA is on the way out the door. It's the Firepower 2100/4100/9300 and FXOS that they'll be replaced with. Regards |
|
train_wreckslow this bird down
join:2013-10-04
Antioch, TN Cisco ASA 5506
Cisco DPC3939
1 recommendation |
to hardstyler
said by hardstyler:Cisco ASA new series, when and if will ever release them, need a serious upgrade with an ideal start throughput with all FIREPOWER services activated from 500 Mb/s and prices adjusted to the bottom, Cisco is no more so best buy for a lot of products and the first thing I mean is not the prices, but the features and performance! There's a serious problem at a lot of Fortune 500's, in that managers (typically those over 40) have had it drummed into their head that "Cisco = Quality" and everyone else is shit. The mentality that "no one got fired for buying Cisco" (although these days that mantra falls apart). Many large organizations have massive, years long contracts with Cisco, and often can get devices/services at astronomical discounts (like 60 percent off or more). Those organizations buy hundreds or thousands of devices at a time, making it more financially lucrative to go with Cisco. Unfortunately, a lot of the smaller vendors simply cannot afford to discount their own goods as heavily as Cisco can. The end result is a lot of large companies propping up Cisco's monetary value beyond what their products offer. I can point to nearly every product line at Cisco and find another vendor that meets or exceeds their featureset, with a price point at or below Cisco. It's crap. |
|
Juniper SRX240
Ubiquiti UniFi UAP-AC-PRO
1 recommendation |
to HELLFIRE
said by HELLFIRE:The sense I get is ASA is on the way out the door. It's the Firepower 2100/4100/9300 and FXOS that they'll be replaced with. We are working our way through the pricing hell that is the 9300 right now. Current company bought the previous generation Firepower two or three years ago and they are now going EoS. We need more appliances for growth. They priced the 9300 and, even with the discounts, it was more than twice what they paid for the previous generation. I talked with our VAR's Cisco guy and he flat out said not to buy the new Firepower. The high cost and poor performance in testing was undefendable in his opinion. Good news, and it shocked me, is that we are seriously talking PA and Fortinet now. Amen! |
|
1 recommendation |
to train_wreck
top reply! I'm with your idea! |
|
1 recommendation |
to train_wreck
said by train_wreck:I can point to nearly every product line at Cisco and find another vendor that meets or exceeds their featureset, with a price point at or below Cisco. Just to honestly ask train_wreck , what'd be your thoughts for : a) routing platform in the ASR1K range b) wifi platform c) CUCM platform d) Nexus 2K/5K/7K range I've been in an all-Cisco shop for 10+ years, so always wonder what's on the other side of the fence. said by wavelength:The high cost and poor performance in testing was undefendable in his opinion. Last I checked, 9300 was quoted by Cisco to have 50Gbit/sec firewall throughput (multiprotocol) with an SM-24, source -- » www.cisco.com/c/en/us/pr ··· 661.htmlJust how badly did the 9300 actually do compared to that, according to your VAR's Cisco guy? Don't think I'll ever get to play with an actual one, so always curious to know how equipment does "in the real world." Regards |
|
Juniper SRX240
Ubiquiti UniFi UAP-AC-PRO
1 recommendation |
said by HELLFIRE:Last I checked, 9300 was quoted by Cisco to have 50Gbit/sec firewall throughput (multiprotocol) with an SM-24, source -- »www.cisco.com/c/en/us/pr ··· 661.html
Just how badly did the 9300 actually do compared to that, according to your VAR's Cisco guy? Don't think I'll ever get to play with an actual one, so always curious
to know how equipment does "in the real world."
Regards His statement on performance was not in reference to throughput numbers alone, but in overall testing. Things like interface design, feature capabilities, visibility, etc.. For as much as we were being quoted, he said we could get a better product as a whole from other vendors for roughly the same or lower price. That included additional features that would be added licensing costs on top of the quote if we purchased the 9300. I become a whole lot less concerned with raw throughput numbers when I jumped from network engineering to security. Now it is what features and visibility the product gives us. If I am going to pay a premium for something, it better be lapping cheaper products. |
|
| |
Thanks for that viewpoint wavelength . And yeah, re: licencing. The bane of ANY sort of solution. Regards |
|
| |
Wait until you get a new switch "with" a DNA licence. Talk about a screwed up process... |
|
 tubbynetreminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ
1 recommendation |
to cramer
said by cramer:Their hardware has become too much common merchant silicon (read: broadcom chips) that's the exact same across the industry -- and everyone else is MUCH cheaper. there is some cots asics going on where it makes sense — but even in the n9k platform (where we intro’d the concept) — there is still a lot of custom asic design going on. doppler respin on c9k, lots of custom stuff on n9k, especially as we drive towards 400g in the dc using aci. sure — some of the ncs line is done using broadcom (qumron, jericho, jericho+, t3, etc) — but its used in fits and spurts. q. |
|
tubbynet
1 recommendation |
to HELLFIRE
said by HELLFIRE:The 900 series industrial routers? Is that what you mean? there’s some other stuff in the works. secret squirrel. q. |
|
tubbynet
1 recommendation |
to HELLFIRE
said by HELLFIRE:Last I checked, 9300 was quoted by Cisco to have 50Gbit/sec firewall throughput (multiprotocol) with an SM-24 on my ipad now — so can’t load the tooling. i can check overall throughput tests in the morning or so. keep in mind — the 9300 is really (3) separate firewall modules. the lowest module has the performance of a 4150 or so (which is 30gbps). with a single sm44 — you’ll get about 54gbps. the reason the ‘max throughput’ is so high — is using (3) sm44s that are “clustered” together within the chassis. url here: » www.cisco.com/c/en_in/pr ··· 6661.pdfq. |
|
tubbynet
1 recommendation |
to markysharkey
said by markysharkey:Wait until you get a new switch "with" a DNA licence. Talk about a screwed up process... how so (genuinely curious)? there are some gaps — for sure — but i’m curious as to what your experience has been. i have customers consuming the licensing today — and while its a change in having to have a few things to correlate — they haven’t complained about it (especially as it simplifies the ordering and feature building process). q. |
|
2 recommendations |
Hi Tubbs,
Well, I bought 4 x 9300's in January. So far the licences are still in my "holding" account with no clear instruction on how to get them to the "customer" account which I still don't know how to create because no-one can tell me. All the links from Cisco and my VAR contain errors or links to pages that don't exist. I've tried to wander through the various pages but it is not intuitive and the error messages don't help to point the way either, so it's really easy to get stuck.
And irresepctive of what the process is, buying a switch shouldn't mean creating accounts on the cisco.com software site and moving tokens/licenses between them. To buy a switch? Really?
And that's before we get in to the question of that end customer account. What if my end customer has an NDA in place, which all my customers do? In the space I work, this is SOP. I know I can create "alternative" accounts" but again that hasn't worked so far.
All that said, I am of course expecting some of these issues to be self inflicted. BUT I'm a smart guy and I have skills so this is awfully frustrating.
If you know how to do this, I'd be grateful for some insight! |
|
tubbynetreminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ
1 recommendation |
said by markysharkey:So far the licences are still in my "holding" account with no clear instruction on how to get them to the "customer" account which I still don't know how to create because no-one can tell me. since you're a partner -- have you reached out to your local partner support channel? if so -- and no response -- shoot me an im. i may be able to get you some help. also -- licensing@cisco.com should be able to get you to the right people at least. said by markysharkey:And irresepctive of what the process is, buying a switch shouldn't mean creating accounts on the cisco.com software site and moving tokens/licenses between them. To buy a switch? Really? yes. we're in the process of disaggregating licensing from hardware. one of the major complaints has always been the "hardware dead, need to transfer licenses". cisco one was a small way to step forward, but by having licensing sitting in a portal that can be assigned per device on an as needed basis -- makes a ton of sense. you do that today with almost every other piece of software you buy. said by markysharkey:What if my end customer has an NDA in place, which all my customers do? if you have a relationship with your customer -- and you also have a relationship with cisco -- then the chain already exists. by creating a mechanism for which they can get the licenses they have purchased doesn't break any nda. (hint: we do business with people that have much stronger nda's than your clientele). said by markysharkey:All that said, I am of course expecting some of these issues to be self inflicted. BUT I'm a smart guy and I have skills so this is awfully frustrating. welcome to licensing. q. |
|
| |
Yes I have reached out. Partner/VAR and Cisco direct help dried up about two weeks ago without really getting past page 1 of the software.cisco.com site. I have chased. I haven't tried licensing@cisco.com yet but so far Cisco and my VAR have been utterly worthless.
I understand the idea of separating license from hardware. But I never bought software before(!) and I found licensing swaps much easier before this!
I do appreciate Cisco work with much more stringent NDA's than mine. That's not the point. My customer is less likely to understand the requirement than I am and he's the one I have to "sell" this idea to. Whether I have an existing relationship or not is also not is neither here nor there. If he don't want it (a Cisco licensing account), he don't have to have it and he will take his business elsewhere if he feels the info is not for Cisco's consumption. |
|
tubbynetreminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ
1 recommendation |
said by markysharkey:If he don't want it (a Cisco licensing account), he don't have to have it and he will take his business elsewhere if he feels the info is not for Cisco's consumption. well -- he's missing the point. cisco already has a record of devices and everything else that he has purchased -- and that is all linked through support account contract numbers. you (as the var) aren't the end user -- they are -- and cisco knows who they are. this is a traditional reseller relationship. the smart account is no different than having a support contract. you (as the var) can manage it for them as long as they make you an administrator. you can even charge a small fee for this service. the only "requirement" is either (a) having the devices reach out to the internet every now and then to verify license compliance or (b) have a smart licensing satellite vm that would be a "proxy" for this communication. q. |
|
