I recently bought ISA550 due to its UTM and VPN features. I have some general issues which I would like to share with the community, mainly to get some answers
1) I have registrated to Cisco web site, inserted login data to ISA550, but still it could not connect to download and upgrade firmware from internet. After registration I waited for a day to try, but it still returned the error about the wrong authentication. Then I upgraded firmware manualy (download from web site to PC...). How can I test if all other updates (antivirus, ..) works ok?
2) Under security services in ISA550 I couldn't find UTM service. I enabled antivirus and some firewall features but I kind of expected UTM will also be available to enable/disable and configure.
3) I configured ipsec vpn but now I have to have client software for Win7. I noticed that Cisco have Anyconnect software but it seems that I cannot download it with my user account. Error says that I don't have a valid service contract on my user account. Does this means that I bought a VPN server without client licence? This doesn't help me at all...
4) At work I managed to find some Cisco VPN Client, version 5.0.07.0290 and with it I managed to get connection going to my ISA550. I have an issues with slow file download from ISA550 to client PC (apx. 1 Mb/sec), although I have good internet connection on both sides (100 MBit download/ 10Mbit upload).
I do, however, have to say that I love ISA550 web management tools - it is so much better that what I have on my HP switch and WiFi AP.
1) You need to elevate your account privilege to download encrypted (k9) images
We will have this link on GUI for the upcoming release
AV, IPS signatures do not require this account privilege
2) UTM means AV, IPS, Web security (url filtering, reputation), Application control, etc
Don't you see those listed under Security Services ?
3) You should have the anyconnect clients on the CD shipped with your ISA500. Although, you do
need service contract to have the latest anyconnect clients.
4) What kind of WAN connection do you have, giving 100Mbps download ?
(1) It seems that I managed to elvate my account privileges, so thank you for the link.
(2) For the UTM question - it is clearer now. I just thought that UTM is a seperate security service. And of course, AV, IPS, ... all works fine.
(3) About the application download - I have recieved installation files on CD inside the package (I found them later), but I tough that I will have access to download the latest software versions.
(4) My major issue is still the VPN speed (client to server). My WAN on both sides (on ISA550 and on a client side) is through optical cable giving me 100/10 Mbps. Therefore the VPN speed should be higher (probably just under 10 Mbps).
And also - if I use Cisco VPN client to connect to ISA550 network, the VPN client disconnects the local network (even if I check the option allow local connections... ). Is this a known issue?
Thank you for the help,
If you search the forums you'll find a discussion I started and a few others talking about the inability to download the vpn client. The other post is correct, if you want to download the latest and greatest then you have to have a service contract. the 1 or 3 years of support provided with the device is only for said device. With that said, the clients provided on the cd are the only ones that are listed as being "compatible" with the ISA500 series. The newer versions are not explicitly listed as being compatible.
As far as the speed of the vpn, I'm on FiOS and have 75mb/35mb (theoretical speeds) in the office and FiOS 25mb/25mb at my house a mile away. The best I can get is 5mb down and 4mb up using anyconnect.
Please do not configure the vpn client address pool overlapping with local networks.
For example, if you local default VLAN is configured with 192.168.75.0/24, your
vpn client address pool should not overlap with this network.
The GUI should validate on this.
For the VPN performance issue, could you please provide me some performance
data for the following scenarios to help us on the troubleshoot:
1) file download Without VPN, Without enabling any security services or on box reporting
2) file download via VPN, no security services and on box reporting
scenario 1 is unclear. Should I send you the performance data for download file from inside my network? From server computer to client computer on the same network without VPN?
You can do the port forwarding for the internal server access from WAN side.
FTP server--------[LAN]ISA500[WAN]--------------Internet--------------client PC
You can configure server port forwarding under Firewall->NAT.
For the VPN performance issue, Could you please do a
packet capture at ISA500 LAN port which connects to FTP server,
when Client is doing the ftp download via VPN tunnel ?
Please disable all security features for this. We want to check
if the issue is related to the IP packet fragmentation caused by the vpn
You can use ISA500 packet capture feature for this task (device
management->diagnostic utilities->packet capture)
FTP server-------[LAN]ISA500[WAN]---------Internet-----------Client PC
You can also try to lower the mtu of your FTP server to see if this helps.
(I suggest to start with mtu = 1400 first)