VPN between Cisco ASA 5505 and Netgear FVS318

LiberatingInsight used Ask the Experts™
I have a client with a Cisco ASA 5505 in their main office.  They need to get a VPN setup between that and 2 of their remote offices.  Each office has/will have a static IP address.  My original plan was to purchase additional Cisco ASAs for each site but the models are constrained from all my vendors and even CDW and PCConnection.  I was looking at the Netgear FVS318 and I think it will work as a VPN endpoint.  Has anyone ran this configuration?  Any other thoughts?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Cisco ASA supply is very tight right now unfortunately.  We have the same problem for new installs.  

As for the Netgear, I have a customer using netgears to terminate VPN tunnels to an ASA, but occasionally they do have problems and have to reboot the netgear to get the tunnel to reconnect.  It appears that sometimes the tunnel gets disconnected unexpectedly and it will fail to reconnect until after the keepalive period has expired on the ASA.  If I manually clear the ASA's crypto information and they reboot the netgear it will reconnect.  It something that doesn't happen very often though.  

Another device I might recommend would be the Cisco/Linksys RV082.  But even with that product there would be issues with tunnels not reconnecting correctly.  The client using those to terminate against an ASA ended up switching out to 5505's eventually.  

Sonicwall/Cisco, Juniper/Cisco, and even Checkpoint/Cisco appear to be pretty solid from my experience, but I don't have as much long term experience with those particular combinations.  Just one off setups that appear to not have any problems.


I ended up finding a used Cisco PIX 501 that I had replaced for a client.  I installed it and have the tunnel working finally but I am having some issues where the users say they loose connection and then it comes back in a few mins.  I don't know what to blame it on.  A good part of me says it is bandwidth issues since both sides are on cable internet service and also they are running VoIP phones and a LoB program that is not made for WAN deployment.  Has anyone heard of Cisco ASA 5505 to PIX 501 (6.3) having issues?

Ordinarily I don't have any problems with VPN connections between ASA5505's and PIX 501s, if the VPN is configured correctly.   You might check to make sure that the VPN is capable of being initiated from either direction.  I.e. you should be able to clear the VPN using the commands:

clear crypto ipsec sa
clear crypto isakmp sa

(may need parameters if you only want to clear one tunnel)

Then initiate a ping from one side to device on the other side that responds to ping.  It should drop one may be 2 pings then come up and start responding.  If it doesn't come up like that for both sides then you may have a config problem that's not allowing traffic from either end to initiate the tunnel.

FYI you might want to open a new question regarding this problem.
Sounds like a mismatch in the key lifetime.  Thats one of the few settings that will allow the tunnel to start initially without matching on both ends.  The lifetime will expire on one end but the remote end won't allow a new session to that node because it still sees the old key.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial