> computerish

Thursday, 17 April 2008

license to route

OK, I'm back and I'm going to try not to let my blog rot, like almost EVERYONE else's I know...

Recently I've had a awful pain in my side, and it turned out to be a pointy Cisco license restriction.

It started with sporadic trouble at the client as they began to use their VPN's more heavily. They had purchased a Cisco ASA 5505 to use as their VPN router, on my recommendation, and everything had been fine until we added another IPSEC tunnel and had more people accessing the remote sites. After some experimentation, we found the magic number to be 10 users, after which no one else could connect to anything across the VPN's.

Whoa... that sounds just like the "user" limit on this device! I hate user limits. Artificial restrictions on the capability of some hardware tends to piss me off. But I digress... This user limit restriction was a complete surprise because although we purchased a "10 user" ASA, I had talked to two different Cisco reps before the purchase to clarify the meaning of this and had been assured that this "user" limit did not pertain to users/IP's connecting over the IPSEC tunnels, and we didn't care about anything else as this device is strictly a VPN-gateway--they already have a m0n0wall in use as their primary internet gateway router.

So, Cisco screwed up. Fortunately I am a digital pack-rat and could produce a year-old email proving that the rep told me that the "user" limit meant 10 IPSEC tunnels with no limit on number of users. The truth is that there were two limits: 10 tunnels AND 10 users/IP's. Unfortunately, it took about two and a half weeks of dealing with assorted Cisco people to finally get a resolution, in the form of a free unlimited user license upgrade.

The outcome is satisfactory, but it really pisses me off that I had to waste so much time troubleshooting and getting it resolved after I tried hard to avoid this very problem by contacting them before buying. Furthermore, based on my conversations with half a dozen Cisco employees I can say that most of them didn't really understand the licensing terms of their own product, which is pretty sad. How am I supposed to understand if they don't? The less clear the license terms, the more likely that someone is going to get surprised by some restriction at the worst possible moment, and then swear off ever buying that brand again.

This entry was posted by ra on Thursday, 17 April 2008 at 00:35. and is filed under computerish. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Myke says:
    #1 2008-04-17 02:26 (Reply)

    ... Why'd you suggest the Cisco gear if you're already comfortable with m0n0wall/pfSense?

    I just went thru a pretty painful migration where one of my clients was acquired by a bunch of SonicWall-using-dolts. Combine a horrible, slow UI with a moron who doesn't understand the difference between firewall, routing and NAT rules... oh - and reminds you frequently he's a CCNA but really doesn't understand this VLAN stuff...

    Compare to the pfSense machine I setup for them a year ago, never had to touch since... they had this IPSec and OpenVPN tunnels running, well secured, ~1 year uptime too even!

    Megacorp, who have IT policy stating they use SonicWalls for whatever reason, don't pay for support after 5PM...

    ... Because we all do major network migrations during business hours... don't you?

  2. ra says:
    #1.1 2008-04-17 03:01 (Reply)

    The remote networks for these particular VPN's require we do NAT over the tunnel, which m0n0wall doesn't currently support, so we went with the Cisco. The m0n0wall will remain the primary router though, for sure. It routes traffic over to the ASA only when necessary.

    I tend to go into convulsions when I have to do too much with Sonicwalls. Whenever I come across one I try to get it replaced with a m0n0wall.

    I only just downloaded pfSense the other day in order to play around and try it out, but I've stuck with m0n0wall thus far because it's nice and lean and we've had great success with it.

    I adore OpenVPN though. I use it extensively for site-to-site and client-server VPN's and it has never let me down.

  3. Myke says:
    #1.1.1 2008-04-17 23:28 (Reply)

    Agreed, OpenVPN is hawt... but the logged messages are really silly - like how it'll negotiate a channel, but can't pass data because it's using the wrong cipher at one end... why can't this be passed between the endpoints in the metadata? You can pass IPs, Routes and all that jazz - but not WHICH ciper is in use???

    pfSense is good stuff, I know CMB & Scott... they're dedicated to making it awesomesauce... It'll do what you want, and is worth the investigation if you don't have to get more stupid PIXes.


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5