Ensuring Maximum Reliability of Cisco ASA devices during COVID-19
We are facing difficult challenges as the COVID-19 pandemic disrupts the life of our communities and our families. At Indeni, we are responding to the crisis by following the guidance of our government and public health officials of practicing social distancing and working from home in order to ensure the safety and well-being of our employees and the greater community. As organizations around the world are moving their employees to a remote workforce model, this puts an extraneous strain on IT infrastructure. Overnight, Virtual Private Networking (VPN) becomes the vital infrastructure holding together the work-from-home workforce.
Cisco has a long history of providing remote access VPN capabilities with Cisco Adaptive Security Appliance (ASA) firewalls. These devices have experienced unprecedented load in the last few weeks and IT teams are working harder to maintain business continuity. To ensure maximum reliability, Indeni continuously assesses ASA device health by comparing expectations of device capacity against the current load. The ability to proactively alert administrators of capacity limits is key to keeping these ASA devices up and running.
Indeni has automated best practices for Cisco ASA to deliver predictive and actionable insights that help you prevent costly disruptions during this challenging time. We have provided a quick snapshot of some of them, below.
1) Tracking number of VPN connections
Indeni continuously assesses the number of concurrent VPN connections against automatically-learned limits for the ASA device. It is important that we restrict the number of users at all times to maintain stability. As connections are approaching the device limit, we proactively notify users before the VPN service is impacted.
We recently announced a new feature to show the actual number of VPN connections against the maximum number of connections limit in response to the COVID-19 crisis.
2) ASA Resource Usage
Besides the obvious CPU usage, memory usage, and interface utilization, we track other critical resource usage.
- Number of routes – A high number of routes may have a negative impact on the VPN service.
- Number of ASDM sessions – If the number of ASDM sessions exceeds the limit, administrators will not be able to login to the ASA device to perform critical tasks.
- Number of SSH sessions – Similarly, if the number of SSH sessions exceeds the limit, administrators will not be able to login to the ASA device.
- NAT Translations – A high number of NAT translations will have a negative impact on the VPN service and if the maximum limit is exceeded, the ASA device becomes unstable.
Indeni proactively alerts users as emerging performance issues are surfacing. This is key to keeping these devices up and running during times of crisis.
3) Ensure that VPN is working
Indeni continuously evaluates the IPsec VPN tunnels status (both phase 1 and phase 2) by ensuring that packet counts are increasing. Troubleshooting VPN tunnel issues is not a trivial task. The recommended remediations are built from the real-world experience of certified IT professionals. They help you remediate potential disruptions regardless of individual skillsets.
4) Track VPN AnyConnect user count versus License Limits
Indeni continuously monitors the total number of concurrent remote users connected via AnyConnect VPN clients. We will alert you if the number exceeds the license limit.
5) Valid licensing
Indeni identifies upcoming licenses expirations and proactively notifies you. This includes licenses that are in their grace period and licenses that have not been in use. If you are taking advantage of the vendor’s offer by obtaining special licenses during the COVID-19 pandemic, rest assured that Indeni can help you manage these ongoing maintenance tasks.
6) SSL Certificate Expiration
An expired SSL certificate would cause a variety of problems:
- Failure of HTTPS requests
- Failure of SSL/TLS web traffic inspection
- Failure of X.509 certificate-based VPN tunnels
Yet, this is one of those often forgotten maintenance tasks and this would be the worst time to encounter this problem. Indeni alerts you in advance if the certificate is about to expire.
Next Steps
Existing customers can upgrade to version 7.1.5 or later. Those who are not currently using Indeni, but would benefit from these ASA capabilities, can download Indeni from our website or reach out directly to us at [email protected]. We promise to find a way to give access to these capabilities even to those organizations that cannot currently purchase our software. We will do whatever we can to help.