Cisco ASA Firewall Review

It brought our network down several times due to a memory leakage bug. Protects 3G/4G Internet customers and the Private APN.

What is our primary use case?

ASA5585-SSP-60 was deployed after a migration from Juniper SRX5600. The solution is used for the protection of the mobile data network. It is protecting 3G/4G Internet customers and the Private APN.

How has it helped my organization?

So far, we are not satisfied by the move. The precedent solution is much more adapted to the Telco environment, although Cisco recommended this platform. Cisco ASA also brought our network down several times due to a memory leakage bug, which is still not resolved.

What is most valuable?

All features provided by the platform are quite the same for all other platforms. We rather missed some features we were used to, such as virtual routers

What needs improvement?

  • VPN creation with Cisco is quite difficult: Some DH groups are not supported (compared to Juniper).
  • Expected to see the enablement of virtual routing, which is key in a Telco environment. We need to provide this in LAN to LAN services with shared platforms (DNS, proxies, etc.).
  • Application visibility 

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Yes, a memory leakage issue which literally freeze the nodes (we have an HA environment). The issue is still not solved and the only recommendation from Cisco is to reboot the node.

What do I think about the scalability of the solution?

Yes, the throughput highlighted on the datasheet (10Gbps) should be reviewed. This throughput is only for a UDP running environment, which you will never find in the real world. Rather consider a multiprotocol throughput.

How are customer service and technical support?

Experience with technical support was mitigated. 

Technically, they denied any issues on the node and call the memory leak issue, "A cosmetic issue." They were stating that memory disappearance reported by SNMP was an error and will have no impact on the traffic. They have reviewed this since we have recorded several blackouts during the year.

Which solution did I use previously and why did I switch?

We were using Juniper SRX5600. The switch was more a strategic decision than a technical one.

We are also using a 5520 for seven years in our datacenter and we are satisfied by this version.

How was the initial setup?

The initial setup was very complex. Migration from Juniper (with wide usage of VR) to Cisco is complex and you should make sure to master all the flows on the node. Also, Juniper is more permissive on asymmetric traffic, which Cisco will deny by default. 

What about the implementation team?

Implementation was performed by a Cisco recommended local partner. 

We were not satisfied at all (from the pre to post implementation). Their level of expertise was zero.

What was our ROI?

I do not know.

What's my experience with pricing, setup cost, and licensing?

Nothing to highlight at this level. 

Which other solutions did I evaluate?

We did an evaluation with Check Point.

What other advice do I have?

It is definitely not for Telco.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More Cisco ASA Firewall reviews from users
...who work at a Financial Services Firm
...who compared it with Fortinet FortiGate
Add a Comment