SSL license upgrade for failover ASA

Unanswered Question
Jun 7th, 2010

In order to upgrade the standard 2 user SSL license to 50, do I have to purchase an SSL license for both the active and failover ASA, essentially doubling my cost? I bought one license and loaded it into the active unit and obviously now it wont go into failover mode because the 2 units dont match now. If you have to purchase a license for both, that certainly makes it rediculously expensive to upgrade any license in a failover.


Greg M

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
JORGE RODRIGUEZ Mon, 06/07/2010 - 13:47


As far as I know you do  need to license both ,  PAK issues  activation  key  per firewall serial number...  Im not aware of any other way around it .

You can always write directly and see if there is a way around it.

Although it is not recommended in failover deployment there is  VPN Flex licensing , where you may use temp license in the standby  when becomes active . it sounds  tedious  to keep track of timed base licenses but it may help if money  is an object in purchasing additional 50 SSL lic for the standby . Im not ware of the cost difererces when using flex license compared with permanent lic.

Some basic details here .


Todd Pula Mon, 06/07/2010 - 13:55

Prior to the release of 8.3 code, the failover feature looked at the member ASAs to ensure that the licensing matched.  With 8.3, only one unit needs a valid license.  If one ASA has a 50 user persistent license and then other has the default of 2 users, the total that the HA pair could support is 52.  Remember that in order to upgrade to 8.3, each platform has strict memory requirements many of which will require a memory upgrade.

JORGE RODRIGUEZ Mon, 06/07/2010 - 14:04

Topula, indeed excellent info !  I think this is something folks were looking for  prior 8.3 .


This Discussion