Solved: ASA 5550 License

Jim Kerr · ‎10-14-2014

Hi All

I currently have a couple of Cisco ASA 5550 firewalls working in Active Standby. Unfortunately the primary firewall died and I am now running from our secondary box. I am purchasing a new (refurbished) 5550 but I anticipate it will be coming with a normal base license.

I presume that as well as making sure that the new box has the same ASA firmware, ASDM and running-config as the current live secondary box that I will also need to make sure that I have the correct license on the new box that I'll be introducing back into the network as the primary box ?

Or does the license work differently when firewalls are used as a pair ? - I think I maybe able to get the license key on the secondary box which is now the active box......do I use the same key or do I need to try and get hold of the key that will have been applied to the box that died (not sure how I'd do this)?

thanks

Marvin Rhoads · ‎10-14-2014

ASA 5550 does not require a special license for failover. Only the 5505, 5510 and 5512-X require Security Plus to use the failover feature. All other models include it in the base license.

Your licensed features that might be at risk would be things like AnyConnect Essentials (or Premium) and any associated licenses such as AnyConnect for Mobile, Advanced Endpoint Assessment etc.. Also things like Botnet filter, IPS etc.if you are using any of those premium features would be an issue.

As of ASA 8.3(1) you only need to have feature licenses on one unit of an HA pair in order for them to apply to the failover cluster.

View solution in original post

rvarelac · ‎10-14-2014

Hi Mick ,

If you have the license key to activate the failover you can use it on this new ASA.

If you're unable to recover this key , you can open a case with our licensing team, and ask them to regenerate the key based on the serial number of the previous ASA (died ) or you Cisco CCO ID.

+1 800-553-6387 (Cisco Customer service)

Hope this helps

Do not forget to rate helpful posts.

- Randy -

Jim Kerr · ‎10-14-2014

thanks Randy

The ASA's were purchased probably 8 years ago and I may not be able to find the license keys - however I can see the activation key in the running config.

So, just so I am clear:

If I can get hold of the License key either for the failed box or the standby box then I can use the license key on the new ASA - even though it was previously registered to the old box ? - do I need to then register the new box with Cisco ?

If I can't get hold of the License key for either the failed box or the standby box I can ask Cisco to regenerate a key based on the ASA that died - I didn't realise that the key would then work for another ASA box with a different serial number ?

Mick

Marvin Rhoads · ‎10-14-2014

ASA 5550 does not require a special license for failover. Only the 5505, 5510 and 5512-X require Security Plus to use the failover feature. All other models include it in the base license.

Your licensed features that might be at risk would be things like AnyConnect Essentials (or Premium) and any associated licenses such as AnyConnect for Mobile, Advanced Endpoint Assessment etc.. Also things like Botnet filter, IPS etc.if you are using any of those premium features would be an issue.

As of ASA 8.3(1) you only need to have feature licenses on one unit of an HA pair in order for them to apply to the failover cluster.