Going to put down the trusty old PIX 506e and considering replacing it with a SA540. Are there any know VPN configuration 'gotchas' on the SA540 when the IPS assigned WAN address is static pppoe?
I don't know about the configuration you are talking about but there are plenty known issues with the SA540 in general that aren't fixed. And I'm not sure it is a product that you should be considering right now. I have an open ticket that doesn't look like it will be resolved any time soon (its been a week for the Escalation team to come back and ask what modem I'm using) it is for the inability to connect to a 10MB full duplex line on the WAN port. But as I test it I'm running into other issues like the SSLVPN client not working with Windows 7. This is just a word of caution when looking at this product.
We are working on both of the issues with 10Mbps interfaces on the WAN and Optional port. The next release will have support for SSL VPN on Windows 7.
If you're looking to run any form of VPN I can strongly say DON'T go for any of the SA500 devices yet. They can at best be considered an immature product, and at worst a complete joke.
You will not have access to PPTP or Cisco VPN that you can currently run on your 506e. The only "supported" client right now is the Cisco/Linksys QuickVPN...and it is a major step down from the Cisco VPN client. The VPN setup is rather clunkly, and I've seen many many reports of bugs and performance problems with no solutions posted at all.
If you're in need to replace your 506e, go up to the ASA5505....its a fantastic product that can do everything your 506e can do plus more...
I agree that these are a paperweight at best. We traded in a Fortinet that worked for us for 6 years without fail and now witht he SA540 trying to connect to the Cisco in our data centre we are rooted. wasted over 40 man hours trying to get this working only to find others have identical issues. Only bought becaseu there is a 2 month backorder on the ASA that we wanted.
Upgrade to latest firmware 1.1.21 also with no change. WAN port drops (20M/20M link), deive hangs (can't even ping internally and have to reboot after 5 minutes.
We have fixed majority of VPN fixes found and reported by you.
We have also fixed other issues concerning WAN, IPS, etc.
We are currently testing the firmware and it looks good.
I recommend you to try this release which will be posted in a week.
Appreciate your feedback and support.
Thanks and Regards,
Quite agree with many feedback. This product is not mature enougth !!!
Something not working ... please wait for new firmeware :-(
VPN Clients not working very fine .... At this time, we are looking for other product.
Few docs are pretty well written (
https://www.myciscocommunity.com/docs/DOC-15592) but only a workaround !
Please, CISCO teams focus on this product or stop it.
Stephane- I was never able to get the Shrew VPN to work with the SA520 we are testing. I think the way to go is with the ASA series for now.
I did, that's why I started this thread: https://www.myciscocommunity.com/message/43742
It just doesn't work for me. I can set up an ASA in 15 minutes, these "easier" SA units....not so much.
We just got one of these a few days ago and I've been fighting with it for the past day. We have an ancient SonicWall that we want to retire. It was a snap to configure. This SA540 doesn't work no matter what I do. CLient can't connect with generic "there's something wrong" error. We only want it for the VPN features, everything else is useless to us, and the one thing we need it for it can't do. And now I'm supposed to sit here and wait for new firmware so that it will work? Pathetic.
I hope CISCO will do best effort to get a real VPN feature on this box.
my old IPCOP is working better than the SA540 and cost less !!!
I can tell you I just couldn't wait the 2+ MONTHS for the potential fix on this product. We had to just have egg on our face with every client we installed one of these for... I'll never get back all the wasted man hours my team put in for this joke of hardware. I knew I wasn't alone when I called our disty about RMA'ing each of these units and they didn't even bat an eye....I'm guessing I'm not the only one that sent these units packing.
We ended up replacing these units with CIsco 871W and the new 861W routers....IOS based and they just work. They lack the Web VPN....but well, in my mind the 540 didn't either :). I have had great results in using the Shrewsoft VPN client with the 800 and abolve level routers as a work around for 64bit users on the IPSec platform.
Honestly my faith in the SMB arm of Cisco is very shaken right now....I will be hard pressed to ever consider recommending anything in this product line to another client.
After posting my rant, I went to check for firmware again even though I just upgraded from 1.0.15 to 1.1.21 4 days ago. Lo and behold, new 1.1.42 firmware is there. I'm hoping this fixes all the problems everyone has been complaining about. I'll know myself soon enough.
OK, so I've applied the new firmware (1.1.42) and it's somewhat better but still doesn't work. With the old firmware, it gave me the generic error message upon connection attempt. Now it will connect and go through the motions of authenticating (Activating policy... Verifying network...) but then bombs out with a "Remote Gateway is not responding. Do you want to wait?" error. If I choose to wait, it just comes back with the same thing again and again. The log shows that it failed to ping the remote VPN router several times. If I can't get this going by the end of today, I'm just going to box it up and send it back. I don't have the time to play around with this stuff, and I'm not going to wait a few months until the next firmware update. Another point of interest: my test system is a laptop running Vista. Just in case, I also rigged a Windows Server 2003 box with the same network settings so I can just swap the network cable back & forth between them to test (wall port is connected directly to our external switch so these test systems are live on the net with a public IP.) The WS2003 box still gets the "something's wrong" error while the Vista box gets to the "Remote Gateway is not responding." stage. I don't like how it behaves differently depending on which system it's running on.