I only have a single ASA5515 CX firewall setup so havent yet played around with Failover with the new ones + CX
The documentation would seem to indicate that you need Licensing for each ASA CX unit separately. If I am not completely wrong, this was also the case with the old modules. They were separate from the actual ASA Failover
Managing High Availability
Cisco High Availability (HA) enables network-wide protection by providing fast recovery from faults that may occur in any part of the network. With Cisco High Availability, network hardware and software work together and enable rapid recovery from disruptions to ensure fault transparency to users and network applications.
Configuring high availability on ASA CX devices requires two identical units connected to each other through a dedicated failover link, with one active unit passing traffic while the other unit waits in a standby state. The health of the active unit and its interfaces is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs and the standby unit begins processing traffic.
The following conditions must be met in order to configure two ASA CX devices for high availability:
Both units must be the same model, have the same number and types of interfaces, and the same amount of RAM installed.
Both units must be operating in the same mode (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version.
Thanks for your reply Jouni. This phrase with the "proper licenses" is at least an indication, however, as it is written in a paragraph dealing specifically with HA i am unsure if it applies to VPN licenses as well.
Anybody out there feeling that he/she completely understood modern ASA licensing? ;-)
You must license both the active and standby firewall for CX. I double checked with Cisco a few weeks ago, as the cost difference is considerable. As Marvin Rhoads noted on a similar thread last week, all module based featues (IPS, CX etc) require a licence per appliance.
Whereas, with 8.3 onwards, features like AnyConnect Essentials/Premium, Advanced Endpoint Assessment and Botnet Traffic Filter require only one appliance be licenced per active/standby HA pair.
Reiterating - yes separate licenses are required per appliance for the module-based features. The wording in the document Jouni quoted could be a bit clearer given the commonality of non-module based licenses but the implication is true. An HA pair of ASAs with CX modules currently requires the AVC and/or WSE licenses to be purchased separately for each appliance's module. Shillings' confirmation from Cisco matches what I have heard from our Cisco CSEs and TMEs.
I wouldn't say I understand it completely but as a Cisco partner I have a good number of resources to draw upon when responding to questions.
The release Document of Version 9.2 says the following:
In 9.2(1.1) Build 48, all valid licenses defined on a CX device are imported when you add the device to the PRSM inventory. However, the imported licenses might not be assigned to the imported device. In addition, existing available feature licenses that you uploaded to PRSM might not get automatically assigned. Please be aware of the following rules:
•If the imported device uses application or application type specifications in the traffic matching criteria of any policy, OR there are such policies defined in the Universal CX access policy sets in PRSM, you must have an available AVC license, either a non-evaluation license defined on the device, or an available evaluation or non-evaluation license in PRSM. During import, the AVC license is automatically assigned to the device. Import will fail if you do not have an available AVC license.
May I now assume that all licenses are thrown into a pool and used as needed? So I need only one for a HA scenario?
My test setup with an HA pair shows only one used License
I had an opportunity this week to talk to our Cisco CSE re this question.
The 9.2 update re CX licensing change is for the off-box PRSM server only. It counts the managed CX units in an HA pair as one unit for pruposes of the PRSM managed device count. (PRSM comes in 5, 10, 25, 50 and 100 managed device license tiers.)
The CX units themselves on the ASA HA pairs still need separate licenses (WSE, AVC and - available as of 9.2 - IPS) for the the features you want to use.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...