09-09-2010 10:48 AM - edited 03-11-2019 11:38 AM
I am setting up a secondary ASA. From what I see the license between both ASAs are different but they guy who purchase the license said it will work. From what I understand it doesn't look right. Can someone please confirm will setting up the failover work with the licenses doesn't match exact or what is the minimum match in order to have the failover work.
Pirmary
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 25
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 50
Total UC Proxy Sessions : 50
Botnet Traffic Filter : Disabled
Secondary
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : 150
Thanks for you input.
Solved! Go to Solution.
09-09-2010 11:41 AM
Yes, you need to have a matching feature set in 8.2.
In 8.3 you can share VPN users license on the units.
I hope it makes sense.
PK
09-09-2010 12:07 PM
Hello,
The Security Plus license is missing from the Primary ASA, which is why failover is not supported. Please take a look at the "High-availability support" section in the link below, notice that failover is not supported unless it has the Security Plus license:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
Hope this helps.
09-09-2010 11:07 AM
Hello,
It looks like failover is disabled on the Primary ASA, so failover will not work:
Pirmary
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 25
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 50
Total UC Proxy Sessions : 50
Botnet Traffic Filter : Disabled
Are the two ASAs running the same software version? Which license is installed on both units? In the output of "show version", there should be something that states "This platform has an ASA.......license".
Please advise.
09-09-2010 11:18 AM
Good catch about the version. Sorry I didn't post the correct one. Here they are.
Primary
TOR-FW1# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
TOR-FW1 up 142 days 1 hour
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0024.97fa.e49c, irq 9
1: Ext: Ethernet0/1 : address is 0024.97fa.e49d, irq 9
2: Ext: Ethernet0/2 : address is 0024.97fa.e49e, irq 9
3: Ext: Ethernet0/3 : address is 0024.97fa.e49f, irq 9
4: Ext: Management0/0 : address is 0024.97fa.e4a0, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 25
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 50
Total UC Proxy Sessions : 50
Botnet Traffic Filter : Disabled
This platform has a Base license.
Secondary
ciscoasa# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 9 secs
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is c84c.7552.110a, irq 9
1: Ext: Ethernet0/1 : address is c84c.7552.110b, irq 9
2: Ext: Ethernet0/2 : address is c84c.7552.110c, irq 9
3: Ext: Ethernet0/3 : address is c84c.7552.110d, irq 9
4: Ext: Management0/0 : address is c84c.7552.110e, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 25
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 50
Total UC Proxy Sessions : 50
Botnet Traffic Filter : Disabled
This platform has an ASA 5510 Security Plus license.
09-09-2010 11:30 AM
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
Indeed you have a license issue. Both units will need to have a license that supports failover in order for failover to work.
I hope it helps.
PK
09-09-2010 11:34 AM
How about security context and max vlan, will that be an issue if not match? Will they take the lowest value after they setup for failover?
09-09-2010 11:41 AM
Yes, you need to have a matching feature set in 8.2.
In 8.3 you can share VPN users license on the units.
I hope it makes sense.
PK
09-09-2010 12:07 PM
Hello,
The Security Plus license is missing from the Primary ASA, which is why failover is not supported. Please take a look at the "High-availability support" section in the link below, notice that failover is not supported unless it has the Security Plus license:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
Hope this helps.
09-09-2010 12:18 PM
Thank you very much for all your help. Cheers!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: