cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
438
Views
0
Helpful
3
Replies

the ASA failover issue related license .

syjeon
Level 1
Level 1

Hi..

We got the two asa 5540, and we would like to establish failover between them.

but something the problem occured..

first of all, I will show you our license info.

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 200

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 5

GTP/GPRS : Enabled

VPN Peers : 5000

WebVPN Peers : 10

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Enabled

UC Proxy Sessions : 24

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 200

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Disabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 5000

WebVPN Peers : 2

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

as showen above log..

two device license are difference, I know that the asa doesn't match the license each other.

they can't establish failover relation.

Our main purpose that use the asa is for IP SEC VPN connection.

if I sync just VPN-3DES-AES each other. Can I establish the VPN? don't care other item.

your comment would be appreciated.

Thank in advanced.

1 Accepted Solution

Accepted Solutions

Sung, everyone's comments are accurate, but if all you want is to only have Client IPSEC VPN load balancing and fail over between two ASAs, and you are not planning to use them for firewalling/nat, then you don't need to worry about configuring failover. Just enable vpn load balancing mode. VPN load balancing mode doesn't care about matching licenses. Keep in mind that you can't have failover and vpn load balancing enabled at the same time. If you also have some site-to-site VPNs, you can separately configure both ASAs to provide it and setup remote site with backup IPSEC peer (don't forget about IGP+RRI on ASA)

Regards,

Roman

View solution in original post

3 Replies 3

Kevin Redmon
Cisco Employee
Cisco Employee

In order for two ASA's to sync failover all features must match 100%. So, in order for failover to sync (despite your using the ASA's just for VPN purposes), you will need to have VPN-3DES-AES, 5 Security Contexts, GTP Enabled, 10 WebVPN, and 24 UC Proxy Sessiosn on the second Firewall (along with the already matched features).

Sung

You can not use the ASA for VPN if you establish an active/active failover. You could use the ASA for VPN if you configure it for active/standby (and if you get all the license parameters to match as explained correctly by Kevin).

HTH

Rick

HTH

Rick

Sung, everyone's comments are accurate, but if all you want is to only have Client IPSEC VPN load balancing and fail over between two ASAs, and you are not planning to use them for firewalling/nat, then you don't need to worry about configuring failover. Just enable vpn load balancing mode. VPN load balancing mode doesn't care about matching licenses. Keep in mind that you can't have failover and vpn load balancing enabled at the same time. If you also have some site-to-site VPNs, you can separately configure both ASAs to provide it and setup remote site with backup IPSEC peer (don't forget about IGP+RRI on ASA)

Regards,

Roman

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: