cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5902
Views
5
Helpful
5
Replies

ASA failover error - VPN-3DES-AES errors

kwanm63my
Level 1
Level 1

I have 2 ASA configured for Active/Standby...  however, when I issued the "failover" command, i get the following message on both ASA.

Mate's license (VPN-3DES-AES Enabled) is not compatible with my license (VPN-3DES-AES Disabled). Failover will be disabled.

Both ASA are running the identical image verified by sh ver.

the cabling is fine as both side can ping each other on the failover ip...

Yes, I did it on the management interface but I have done that on previously ASA and no issues.

Anybody seen this ?  Thanks all !

ASA 1 config

failover lan unit primary
failover lan interface failover-link Management0/0
failover link failover-link Management0/0
failover interface ip failover-link 1.1.1.1 255.255.255.252 standby 1.1.1.2

ASA 2 config

failover lan unit secondary

failover lan interface failover-link Management0/0
failover link failover-link Management0/0
failover interface ip failover-link 1.1.1.1 255.255.255.252 standby 1.1.1.2

ASA 1 :

LN-ASA-1# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

LN-ASA-1 up 4 days 4 hours

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0  : address is 0024.972b.e1b2, irq 9
1: Ext: GigabitEthernet0/1  : address is 0024.972b.e1b3, irq 9
2: Ext: GigabitEthernet0/2  : address is 0024.972b.e1b4, irq 9
3: Ext: GigabitEthernet0/3  : address is 0024.972b.e1b5, irq 9
4: Ext: Management0/0       : address is 0024.972b.e1b1, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Disabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5520 VPN Plus license.

ASA 2:


ciscoasa(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 58 mins 25 secs

Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0  : address is 0022.5597.0f30, irq 9
1: Ext: GigabitEthernet0/1  : address is 0022.5597.0f31, irq 9
2: Ext: GigabitEthernet0/2  : address is 0022.5597.0f32, irq 9
3: Ext: GigabitEthernet0/3  : address is 0022.5597.0f33, irq 9
4: Ext: Management0/0       : address is 0022.5597.0f34, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5520 VPN Plus license.

Serial Number: xxxxx

1 Accepted Solution

Accepted Solutions
5 Replies 5

Hi,

There's one ASA with 3DES-AES enabled and the other has the license disabled.

In order to do failover, the hardware and the licenses on both units should be the same.

Federico.

Hi,

You can either get the identical license for both the ASA devices.

OR

Try Upgrading to ASA version 8.3.

In version 8.3, Failover licenses no longer need to be identical on each unit. Non-identical failover licenses support is available.

However, while upgrading you need to take into consideration the command changes in 8.3, some of the configs in 8.2 might have to be manually migrated.

is there a way to disable VPN-3DES-AES on the license..

It will be a shame to lose it because I'm sure we paid for it somehow !  or go to 8.3 as somebody suggest ?

VPN-3DES-AES license is free, just get the license from the following:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y

(choose: Cisco  ASA 3DES/AES License)

Hello All

I know this old topic but I need help for the issue that I have on my ASA5505 V13' please.

on my ASA5505 shows the 3DS-AES is disabled, I went to Cisco and get a 3DES License and I did try to activate it, I end up with error (( the activation key is the same as the flash permanent activation-key)). 

And when I run the command : ((ssl encryption aes256-sha1 aes128-sha1 3des-sha1)) I get the 3DES/AES algorithm require a VPN-3DES-AES activation key.

 

Any suggestions please, what I can do??  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: