Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5540 Security Context Licenese Upgrade

I have to install a security context license upgrade for a pair of ASA 5540s running as active/active in failover mode.  I have the standard 2 context license and need to go to 5 context. I am trying to clarify a  few things;

1.The ASAs are already set up for multi-context, and are running Version 8.2(2).  Will applying the license upgrade require a reboot?

2. If a reboot is required what is the least intrusive way of performing the upgrade. I am assuming I will need to beak the failover pair temporally.

Any suggestions or past experience would be appreciated.

CB

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: ASA 5540 Security Context Licenese Upgrade

Hi Chris,

No reload is required when you increase the number of contexts. Here is the procedure for installing new licenses on a failover pair:

http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html#wp195268

Hope that helps.

-Mike

5 REPLIES
Gold

Re: ASA 5540 Security Context Licenese Upgrade

Hi Chris,

No reload is required when you increase the number of contexts. Here is the procedure for installing new licenses on a failover pair:

http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html#wp195268

Hope that helps.

-Mike

New Member

Re: ASA 5540 Security Context Licenese Upgrade

Thanks for the answer.  Have you run through this process before?  I opned a TAC case and I am getting a vague answer.  I was hoping someone had done this recently.

Cisco Employee

Re: ASA 5540 Security Context Licenese Upgrade

Chris,

Pls. read this thread: https://supportforums.cisco.com/message/2010684

The link that they followed did not work as expected:http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00806b1c0f.shtml

Pls. follow the 7 steps that Robert provided with one little correction:

  1. First turn off failover by issuing the no failover command on the active and wr mem.
  2. This will disengage failover and the states of the boxes (active and standy will still be the same) until reboot.
  3. On the active do the license upgrade and wr mem.
  4. Serial into the standby and do the license upgrade, wr mem.
  5. Power off the standby and reboot the active (This will be your network down time as the active reboots).
  6. With the active working turn failover back on with the command "failover".
  7. Turn  the standby unit on. It should detect the hello message from the active  and go into standy mode automatically (If the licenses match).

I took the initiative to get the link corrected and have notified the responsible people. It appears that the link is still not correct. I will follow up again.

-KS

Cisco Employee

Re: ASA 5540 Security Context Licenese Upgrade

CCO document 70390

PIX/ASA: License Key Upgrade on a Failover Pair

has been fixed.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00806b1c0f.shtml

-KS

Cisco Employee

Re: ASA 5540 Security Context Licenese Upgrade

Hi Chris,

Mike's post had the link to focus on, the official 8.2 configuration guide.

Specifically, there are only a few very specific instances where you need to reload the ASA after changing your activation-key:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1335945

Because no reload is required, you can follow the steps in the "Upgrading the License for a Failover (No Reload Required)" link here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1336056

As always, it is recommended to do this during a maintenance window, but it should have little to no functional impact.

FYI: this process changes in 8.3 because the license / failover requirements are different.

Thanks,

Kurt

1054
Views
10
Helpful
5
Replies