Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5512-X CX licensing

When i want to use two ASA 5512-X in a failover cluster (Active-Standby), i need two Security PLUS licenses and also two VPN licenses like AnyConnect Essentials:

Correct so far? But what with CX Feature licenses like L- ASA5515-WS3Y=? Which rule does apply - only one license per cluster needed? Or do i need two?

Thanks & regards


Super Bronze

Re: ASA 5512-X CX licensing


I only have a single ASA5515 CX firewall setup so havent yet played around with Failover with the new ones + CX

The documentation would seem to indicate that you need Licensing for each ASA CX unit separately. If I am not completely wrong, this was also the case with the old modules. They were separate from the actual ASA Failover

Managing High Availability

Cisco High Availability (HA) enables network-wide protection by providing fast recovery from faults that may occur in any part of the network. With Cisco High Availability, network hardware and software work together and enable rapid recovery from disruptions to ensure fault transparency to users and network applications.

Configuring high availability on ASA CX devices requires  two identical units connected to each other through a dedicated  failover link, with one active unit passing traffic while the other unit  waits in a standby state. The health of the active unit and its  interfaces is monitored to determine if specific failover conditions are  met. If those conditions are met, failover occurs and the standby unit  begins processing traffic.

The following conditions must be met in order to configure two ASA CX devices for high availability:

  • Both units must be the same model, have the same number and types of interfaces, and the same amount of RAM installed.
  • Both  units must be operating in the same mode (routed or transparent, single  or multiple context). They must have the same major (first number) and  minor (second number) software version.
  • Each ASA CX must have the proper licenses.


- Jouni

New Member

Re: ASA 5512-X CX licensing

Thanks for your reply Jouni. This phrase with the "proper licenses" is at least an indication, however, as it is written in a paragraph dealing specifically with HA i am unsure if it applies to VPN licenses as well.

Anybody out there feeling that he/she completely understood modern ASA licensing? ;-)


Re: ASA 5512-X CX licensing

You must license both the active and standby firewall for CX. I double checked with Cisco a few weeks ago, as the cost difference is considerable. As Marvin Rhoads noted on a similar thread last week, all module based featues (IPS, CX etc) require a licence per appliance.

Whereas, with 8.3 onwards, features like AnyConnect Essentials/Premium, Advanced Endpoint Assessment and Botnet Traffic Filter require only one appliance be licenced per active/standby HA pair.

Hall of Fame Super Silver

ASA 5512-X CX licensing

Reiterating - yes separate licenses are required per appliance for the module-based features. The wording in the document Jouni quoted could be a bit clearer given the commonality of non-module based licenses but the implication is true. An HA pair of ASAs with CX modules currently requires the AVC and/or WSE licenses to be purchased separately for each appliance's module. Shillings' confirmation from Cisco matches what I have heard from our Cisco CSEs and TMEs.

I wouldn't say I understand it completely but as a Cisco partner I have a good number of resources to draw upon when responding to questions.

New Member

Re: ASA 5512-X CX licensing

The release Document of Version 9.2 says the following:

In 9.2(1.1) Build 48, all valid licenses defined on a CX device are  imported when you add the device to the PRSM inventory. However, the  imported licenses might not be assigned to the imported device. In  addition, existing available feature licenses that you uploaded to PRSM  might not get automatically assigned. Please be aware of the following  rules:

If  the imported device uses application or application type specifications  in the traffic matching criteria of any policy, OR there are such  policies defined in the Universal CX access policy sets in PRSM, you  must have an available AVC license, either a non-evaluation license  defined on the device, or an available evaluation or non-evaluation  license in PRSM. During import, the AVC license is automatically  assigned to the device. Import will fail if you do not have an available  AVC license.

May I now assume that all licenses are thrown into a pool and used as needed? So I need only one for a HA scenario?

My test setup with an HA pair shows only one used License

Hall of Fame Super Silver

Re: ASA 5512-X CX licensing


Thanks for bringing it to my attention.

It appears this is indeed a new feature for the CX and PRSM 9.2 release. It also includes NGFW IPS - which can run simultaneously with AVC and WSE features on the CX.

Documentation and other collateral material is still lagging. For instance, I'm not sure if you can do this without using off-box PRSM.

Hall of Fame Super Silver

Re: ASA 5512-X CX licensing

I had an opportunity this week to talk to our Cisco CSE re this question.

The 9.2 update re CX licensing change is for the off-box PRSM server only. It counts the managed CX units in an HA pair as one unit for pruposes of the PRSM managed device count. (PRSM comes in 5, 10, 25, 50 and 100 managed device license tiers.)

The CX units themselves on the ASA HA pairs still need separate licenses (WSE, AVC and - available as of 9.2 - IPS) for the the features you want to use.