End of life for Cisco ASA 5500

In this post, I am going to focus on recent End-of-Life announcements for Cisco ASA 5500-X products. I will elaborate on what EoL means, what are the consequences, and how to proceed when EoL affects your infrastructure. Then, how Grandmetric can help in such a scenario.

What do EoL and EoS mean for Cisco products?

Cisco End-of-life (EoL) is a general term used when the vendor plans to cease the production of a certain product or product line. Taking into account that millions of end clients around the world might be using the product, the EoL comes with a group of milestones that all together form the End of Live of the product.

The EoL comprises of following milestones:

• End-of-Life Announcement Date – the date of milestones announcement
• End-of-Sale Date – last day to order the product
• Last Ship Date – last possible ship date requested from Cisco
• End-of-Routine Failure Analysis Date – the last possible date to determine the cause of hardware failure
• End-of-New Service Attachment Date – the last possible date of ordering a new service contract for hardware or software
• End-of-New Service Contract renewal – the last date of service contract extension or renewal
• Last-Date-of-Support – no option to order the Cisco support contract and the product becomes obsolete.

Ok fine, but why should I care about Cisco ASA 5500 EoL announcements?

There are multiple scenarios where the product resides in the critical part of the infrastructure. For these kinds of scenarios obviously, the last date of support becomes the most crucial comparing all the milestones. Without an active support contract, you are no longer entitled to replace failed hardware. Also, the Cisco TAC will not handle your case.

Other milestones are important mainly in terms of planning. You can plan for hardware refreshment cycles or the design of new networks or their functionality with obsolete products. I have seen situations where the AMs offered the EoS-announced products even though the replacement equipment was well tested in production and safe and available at competitive pricing.

What to do if an EoL announcement has been issued?

When the End-of-life announcement affects your infrastructure, take a while and read the EoL notice. It might be as stirring as thick paper documentation but for sure it will be worth your while.

In the first place, determine if the change is related to your particular product. Sometimes the EoL can affect a lower or higher line, software version or just one license tier.

If it affects your equipment, then consider the following carefully.

• Last date of Order (End-of-Sale). Migrating your network to a new hardware line is not the only option. However, if that’s the way for you, make sure to inform the business side before the date comes. Remember that sometimes the ordering process takes a while (from weeks to even months) including vendor lead times and company processes. You should prepare for the last order when:
  • your design, engineering rules, or automation systems require a particular product;
  • the critical function is available only in the product to be deprecated;
  • your security policy relies exactly on your current product.
• Last day of Support (End-of-Support). Whether you like it or not, the EoS will come one day. Some IT projects, business innovations, or transformations could be connected with your design, supportability, or last but not least, budget. It is better to predict and inform your organization that the components of your network infrastructure would become obsolete soon. This information can be crucial for the IT services stakeholders in terms of budget planning or required SLA.
• Last day of Service Contract Renewal. If you feel that the refreshment is not really needed, renew the contract. Having a product that meets your expectations is also a good reason to prolong the support contract. This can extend the lifetime of the hardware while still meeting your business objectives.

EoL of Cisco ASA 5500

I grew up with Cisco ASA (and PIX) :). One of the legends about it was that once you deploy ASA you could just forget the firewall issues. That was a legend of the ASA stability. Good old ASAs then transformed into Next-Generation firewalls. ASA 5500-X with the SFR modules became popular after the acquisition of Source Fire by Cisco Systems. After a few years of ASA X series popularity, Firepower appliances appeared on the horizon.

Some of the EoLs might not have as much impact on your environment as the ASA5500 line does. The popular Internet Edge, VPN, and DC firewalls still play a critical role in many organizations. They serve a variety of functions. Starting from stateful filtering, the VPN remote access, WAN connectivity, or application control with the SFR managed by the FMC appliance.

On February 1st, 2021, Cisco announced the EoL for the popular 5516-X and 5508-X series, including Cisco ASA 5506, 5508, 5512-X, 5515-X, 5516-X, 5525, 5545, 5585 (second generation, or “X” generation).

What next? Cisco used to propose the migration options for the EoL hardware lines. For the popular models Cisco suggests:

• 5506, 5508, 5512, 5515, 5516 -> Cisco Firepower 1000 models
• 5525, 5545, 5555 -> Cisco Firepower 2100 models
• 5585-X -> Cisco Firepower 4100 models

Please be aware, that the above suggestions (despite coming from Cisco migration options) may not always be taken as gospel. Your IT environment can change. The performance, and stack of functions may also be different today than a few years ago when you used to order the ASA series. So please read the last section describing the choices you have.

How Grandmetric can help when the date is close?

First of all, Grandmetric engineers are always keen to talk and consider different options. They are related to your business case, technical objectives, and preferences.

Secondly, because network security is burned into our Team DNA, we all have experience in Cisco firewalls. We do the migrations of large-scale (critical) DCs, Internet Edges, HA clusters, VPNs. And we still maintain large production networks running on ASAs. Because of the above, you can expect real advisory coming from our practical expertise.

We will put some light on the functionalities you might lose or gain as well as on the performance you might need now or in the future, depending on environment dynamics and specs. We will update you with licensing changes and migration options.

Test before you buy – guided testing

PoC and testing are always welcome. Sometimes there are as many different solutions as account managers and companies selling. Engineering advisory and then PoC is something that must show the proof, pros, and cons that let you decide. And guided testing is something we follow.

Get trained

Do not be afraid of new solutions. If you prefer guided learning, you can find useful content for free in our knowledge base. The ASA and Firepower course is one of the top-scored training in our portfolio.

Shared responsibility and financing

I am aware that the topic might not resonate with the technical staff too much, but the post wouldn’t be complete without this aspect of support. The option of shared responsibility that comes from 3rd party support of obsolete devices can be an interesting option for your management.

When hardware must reside inside the network for some reason but is no longer supported by the vendor, consider this. In addition, if you overlooked the EoL announcement and didn’t plan the budget properly, try the financing options. As Cisco Partner, Grandmetric provides Easy Lease financing for new devices.

Security testing in a bundle

And for dessert, something that might be of your professional interest. We treat security with respect and never limit ourselves to simple high-availability tests or rules verification. With every migration, you can count on a comprehensive security scan of your entire Internet Edge.

Contact Grandmetric pre-sales for free consulting to see how your organization can efficiently deal with ASA end of life.