What to expect? When to migrate? How to support ASA 5500-X?
In this post, I am going to focus on recent End-of-Life announcements for Cisco ASA 5500-X products. I will elaborate on what EoL means, what are the consequences, and how to proceed when EoL affects your infrastructure. Then, how Grandmetric can help in such a scenario.
Cisco End-of-life (EoL) is a general term used when the vendor plans to cease the production of a certain product or product line. Taking into account that millions of end clients around the world might be using the product, the EoL comes with a group of milestones that all together form the End of Live of the product.
The EoL comprises of following milestones:
There are multiple scenarios where the product resides in the critical part of the infrastructure. For these kinds of scenarios obviously, the last date of support becomes the most crucial comparing all the milestones. Without an active support contract, you are no longer entitled to replace failed hardware. Also, the Cisco TAC will not handle your case.
Other milestones are important mainly in terms of planning. You can plan for hardware refreshment cycles or the design of new networks or their functionality with obsolete products. I have seen situations where the AMs offered the EoS-announced products even though the replacement equipment was well tested in production and safe and available at competitive pricing.
When the End-of-life announcement affects your infrastructure, take a while and read the EoL notice. It might be as stirring as thick paper documentation but for sure it will be worth your while.
In the first place, determine if the change is related to your particular product. Sometimes the EoL can affect a lower or higher line, software version or just one license tier.
If it affects your equipment, then consider the following carefully.
I grew up with Cisco ASA (and PIX) :). One of the legends about it was that once you deploy ASA you could just forget the firewall issues. That was a legend of the ASA stability. Good old ASAs then transformed into Next-Generation firewalls. ASA 5500-X with the SFR modules became popular after the acquisition of Source Fire by Cisco Systems. After a few years of ASA X series popularity, Firepower appliances appeared on the horizon.
Some of the EoLs might not have as much impact on your environment as the ASA5500 line does. The popular Internet Edge, VPN, and DC firewalls still play a critical role in many organizations. They serve a variety of functions. Starting from stateful filtering, the VPN remote access, WAN connectivity, or application control with the SFR managed by the FMC appliance.
On February 1st, 2021, Cisco announced the EoL for the popular 5516-X and 5508-X series, including Cisco ASA 5506, 5508, 5512-X, 5515-X, 5516-X, 5525, 5545, 5585 (second generation, or “X” generation).
What next? Cisco used to propose the migration options for the EoL hardware lines. For the popular models Cisco suggests:
Please be aware, that the above suggestions (despite coming from Cisco migration options) may not always be taken as gospel. Your IT environment can change. The performance, and stack of functions may also be different today than a few years ago when you used to order the ASA series. So please read the last section describing the choices you have.
First of all, Grandmetric engineers are always keen to talk and consider different options. They are related to your business case, technical objectives, and preferences.
Secondly, because network security is burned into our Team DNA, we all have experience in Cisco firewalls. We do the migrations of large-scale (critical) DCs, Internet Edges, HA clusters, VPNs. And we still maintain large production networks running on ASAs. Because of the above, you can expect real advisory coming from our practical expertise.
We will put some light on the functionalities you might lose or gain as well as on the performance you might need now or in the future, depending on environment dynamics and specs. We will update you with licensing changes and migration options.
PoC and testing are always welcome. Sometimes there are as many different solutions as account managers and companies selling. Engineering advisory and then PoC is something that must show the proof, pros, and cons that let you decide. And guided testing is something we follow.
Do not be afraid of new solutions. If you prefer guided learning, you can find useful content for free in our knowledge base. The ASA and Firepower course is one of the top-scored training in our portfolio.
I am aware that the topic might not resonate with the technical staff too much, but the post wouldn’t be complete without this aspect of support. The option of shared responsibility that comes from 3rd party support of obsolete devices can be an interesting option for your management.
When hardware must reside inside the network for some reason but is no longer supported by the vendor, consider this. In addition, if you overlooked the EoL announcement and didn’t plan the budget properly, try the financing options. As Cisco Partner, Grandmetric provides Easy Lease financing for new devices.
And for dessert, something that might be of your professional interest. We treat security with respect and never limit ourselves to simple high-availability tests or rules verification. With every migration, you can count on a comprehensive security scan of your entire Internet Edge.
Leave a Reply