the ASA failover issue related license .

Answered Question
Jul 26th, 2009

Hi..

We got the two asa 5540, and we would like to establish failover between them.

but something the problem occured..

first of all, I will show you our license info.

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 200

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 5

GTP/GPRS : Enabled

VPN Peers : 5000

WebVPN Peers : 10

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Enabled

UC Proxy Sessions : 24

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 200

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Disabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 5000

WebVPN Peers : 2

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

as showen above log..

two device license are difference, I know that the asa doesn't match the license each other.

they can't establish failover relation.

Our main purpose that use the asa is for IP SEC VPN connection.

if I sync just VPN-3DES-AES each other. Can I establish the VPN? don't care other item.

your comment would be appreciated.

Thank in advanced.

I have this problem too.
0 votes
Correct Answer by Roman Rodichev about 7 years 5 months ago

Sung, everyone's comments are accurate, but if all you want is to only have Client IPSEC VPN load balancing and fail over between two ASAs, and you are not planning to use them for firewalling/nat, then you don't need to worry about configuring failover. Just enable vpn load balancing mode. VPN load balancing mode doesn't care about matching licenses. Keep in mind that you can't have failover and vpn load balancing enabled at the same time. If you also have some site-to-site VPNs, you can separately configure both ASAs to provide it and setup remote site with backup IPSEC peer (don't forget about IGP+RRI on ASA)

Regards,

Roman

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Kevin Redmon Sun, 07/26/2009 - 17:13

In order for two ASA's to sync failover all features must match 100%. So, in order for failover to sync (despite your using the ASA's just for VPN purposes), you will need to have VPN-3DES-AES, 5 Security Contexts, GTP Enabled, 10 WebVPN, and 24 UC Proxy Sessiosn on the second Firewall (along with the already matched features).

Richard Burts Sun, 07/26/2009 - 17:29

Sung

You can not use the ASA for VPN if you establish an active/active failover. You could use the ASA for VPN if you configure it for active/standby (and if you get all the license parameters to match as explained correctly by Kevin).

HTH

Rick

Correct Answer
Roman Rodichev Sun, 07/26/2009 - 17:41

Sung, everyone's comments are accurate, but if all you want is to only have Client IPSEC VPN load balancing and fail over between two ASAs, and you are not planning to use them for firewalling/nat, then you don't need to worry about configuring failover. Just enable vpn load balancing mode. VPN load balancing mode doesn't care about matching licenses. Keep in mind that you can't have failover and vpn load balancing enabled at the same time. If you also have some site-to-site VPNs, you can separately configure both ASAs to provide it and setup remote site with backup IPSEC peer (don't forget about IGP+RRI on ASA)

Regards,

Roman

Actions

This Discussion