Okay, I recently came across a post here on r/networking regarding this and I swear I can't find it so I figured I'd reach out to get some opinions.
Also, I realize that FTD/FMC experiences are mostly sour on here and most of which I can confirm. Being that I've been in networking for just shy of 4 years the FTD/FMC was the first real experience of settings up a firewall from scratch. All other ASAs were just from other peoples work and I thoroughly enjoy using the ASDM/CLI to learn.
We've had Firepower 2140s in HA (6.6.1 with vFMC) for about 3+ years now and they are our primary firewalls. They handle our internet traffic as well as our site-to-site VPNs and here recently due to the pandemic, remote access VPNs using SSL. To cut to the chase, the experience has been pretty subpar when it comes to RA-VPN on the firepower.
During COVID I've been getting rid of some older ASAs in our environment. One of which was handling our RA-VPN and I believe it was either a ASA-5512 or 5510. The experience was actually really solid and our group of users who were on the ASA and now firepower have told us personally it was better back during the ASA.
So fast forward, I'm about finished cleaning up older ASAs and I have 2 x ASA5585-X. For now we have just a few networks that sit behind it and they will be moving to the firepower shortly and my thought was to start from scratch on the ASA and use those in a HA pair and use them only for VPNs. Whether that's just the SSL VPN or eventually move the site to site back, I'd like to utilize what life I can out of them as we still have SmartNet on them. I'm aware of some licenses we would need to purchase but I think in the long run it would provide a better experience for our users.
As of now, I'll have users report disconnects once or maybe twice a day where AnyConnect completely disconnects and then eventually reconnects after about 15-20 seconds. I've been back and forth with TAC regarding the issue and we've tried a few things to improve the experience. Adjusting the MTUs on the Connection Profiles seem to work best, but I'm still not satisfied as I keep looking back during the ASA times.
I would say I'm about a month out before being able to reconfigure the ASAs. My question really is if this is a good idea or am I just wasting my time? I would place the ASA behind the FTDs so we can utilize the IPS/IDS functionality of the FTD at the same time. We are talking about 200 users altogether.
My thoughts are a bit over the place and I apologize. I'm still going to engage TAC to see if I can essentially turn this frown upside down and see what I'm missing, but so far they've confirmed my configurations were solid.
Thank you all for your time today!
No comments:
Post a Comment