Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5585-X Licensing

Hi,

I have registered the license purchased for the ASA 5585X appliances and have received the following listed as features.

> Failover : Enabled
> Encryption-DES : Enabled
> Encryption-3DES-AES : Enabled
> Security Contexts : 20
> GTP/GPRS : Disabled
> AnyConnect Premium Peers : Default
> Other VPN Peers : Default
> Advanced Endpoint Assessment : Disabled
> AnyConnect for Mobile : Disabled
> AnyConnect for Cisco VPN Phone : Disabled
> Shared License : Disabled
> UC Phone Proxy Sessions : Default
> Total UC Proxy Sessions : Default
> AnyConnect Essentials : Disabled
> Botnet Traffic Filter : Disabled
> Intercompany Media Engine : Disabled
> 10GE I/O Plus : Disabled

I require 10 GE interfaces and the appliance has been licensed for 10Gb (I think).

Is this something that has to be activated?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

ASA 5585-X Licensing

...by the way Security Plus license is required to use the 10 Gbps ports:

ASA5585-SEC-PL     ASA 5585-X Security Plus License (Enables 10G SFP+ Ports)

35 REPLIES
Hall of Fame Super Silver

ASA 5585-X Licensing

What version of ASA software are you running? There is a bug (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti70859) in 8.2(3) that shows similar behavior.

Hall of Fame Super Silver

ASA 5585-X Licensing

...by the way Security Plus license is required to use the 10 Gbps ports:

ASA5585-SEC-PL     ASA 5585-X Security Plus License (Enables 10G SFP+ Ports)

Hall of Fame Super Silver

Re: ASA 5585-X Licensing

...and by the way, on an HA pair you only need one Security Plus license for the pair to activate the 10 Gbps interfaces on a 5585-X with SSP-10 (assuming 8.3 or later code)

New Member

ASA 5585-X Licensing

That is not the case, except for 5585-X, the Sec Plus license is required on BOTH units in an HA configuration.

Hall of Fame Super Silver

ASA 5585-X Licensing

Please note my post specificially says I am talking about the 5585-X with SSP 10.

New Member

Hey Marvin! Hope you're doing

Hey Marvin! Hope you're doing well. So if we have a 5585-X SSP10 active/standby then we're good to go with the SEC-PLUS license applied to the cluster and activate the onboard 10gig modules? 

-Jake

Hall of Fame Super Silver

Hi Jake. According to my

Hi Jake. According to my reference here's the answer:

Q: In a 5585 Failover Pair, do BOTH units need the Security Plus license to enable the 10Gb ports, or does just ONE of the units need it? 
A: Just one. With 8.3+ the cluster license will cover both units

My source is a briefing on the partner community. If you have partner access you can find it here:

https://communities.cisco.com/docs/DOC-27177

See the Q&A document there. 

New Member

hi there.

hi there.

I am running a pair of 5585-x-ssp20  with 9.1(2) in multi context mode with active/active ( so some contexts active on each node) and looking to purchase the ASA5585-SEC-PL  security plus to get the 10G interfaces operational.

However your notes above combined with the following statement

"Shared licenses are supported only in single context mode, so Active/Active failover is not supported."

thats I found in

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/intro_license.pdf

Leads me to believe i need to buy the security plus license for each of the ASAs

is this correct or are we 100% sure 1 would be enough i the multicontext active active scenario.

any clarity you can provide would be much appreciated.

Craig

Hall of Fame Super Silver

Craig,

Craig,

The shared licenses in the quotation you cite are talking about the VPN shared licenses where there is a member of a VPN cluster acting as a shared license server.

If you have continued doubt, you can request your partner open a Partner Helpdesk ticket whereby Cisco will confirm in writing the license requirements for your specific use case.

New Member

When deployed in a HA pair,

When deployed in a HA pair, according to Cisco, the Security Plus license does not failover. That being the case, if you want the 10G ports enabled on the standby unit both would need the license. 

New Member

Is the Security Plus license

Is the Security Plus license required on the SSP-10 also for using the 10GE ports on the additional IO modules, like ASA5585-NM-4-10GE, or is it only required for the on-board 10GE ports?

Many thanks.

Hall of Fame Super Silver

Yes - it is required to use

Yes - it is required to use 10 Gbps ports on either the base unit or the additional IO modules.

New Member

Many thanks for your answer

Many thanks for your answer but I believe I just found evidence to the contrary: this link [1] states that "[...] the Security Plus license enables configuring these interfaces at 10-GE speed. This capability is always enabled on SSP-40 and -60 and on any expansion 10-GE interface modules".

 

[1] http://www.ciscopress.com/articles/article.asp?p=2209314

New Member

Hi Andrei,Yes I agree, so the

Hi Andrei,

Yes I agree, so the SEC lic enables 10G for on-board ports, on SSP10's and SSP20's.

SSP40's and SSP60's are unaffected.

Where expansion module ports are always enable for 10G capability. That is what I saw when building a 5585.

Kind Regards,

Garry

New Member

Hi Andrei,Its the on-board

Hi Andrei,

Its the on-board 10G ports that are affected.

I just built a 5585 and added NM-4-10GE with SR SFP+ without being asked for the SEC license.

Also I have noticed that many of the 5585X's are a bundle that includes the SEC license.

Regards,

Garry.

New Member

Thank you for your quick

Thank you for your quick reply. Indeed, bundles with higher-end SSPs already include the SEC license; this license is an option only for the SSP-10.

New Member

ASA 5585-X Licensing

Hello Marvin & Davwalsh,

Just a quick question, does ASA5585-S40-K9 still required a (ASA5585-SEC-PL: ASA 5585-X Security Plus License (Enables 10G SFP+ Ports) to enable the 10G port? I am bit confused because, upon reviewed the Cisco "ASA Managing Feature License, seems that it is supported by default on ASA5585-S40-K9 package, see details below.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

FEATURE INFORMATION

We introduced the 10 GE I/O license for the ASA 5585-X with SSP-10 to enable 10-Gigabit Ethernet speeds for the

fiber ports. The SSP-40 supports 10-Gigabit Ethernet speeds by default.

Note The ASA 5585-X is not supported in 8.3(x).

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

However when I talked to one of Cisco SE, he told me that the Security Plus License is required and a must to enable the 10GB interface.

For your comment.

Regards,

Arnold

Hall of Fame Super Silver

ASA 5585-X Licensing

Arnold,

Your reading is correct. Among the 5585-X models, a separate Security Plus license is only required  to enable 10 Gbps interfaces on the -10 and -20 versions. The -40 and -60 models include it by default.

New Member

ASA 5585-X Licensing

Thanks for the info Marvin, really appreciate it.

New Member

ASA 5585-X Licensing

Hi Marvin,

I have been reading the info here and its been useful except:

The 5585X 10 and 20 need the SEC Plus lic to activate 10G ports - right?

But is a SEC Plus required on both 5585's in an HA pair?

Regards,

Garry

Hall of Fame Super Silver

ASA 5585-X Licensing

Garry,

In an HA pair of 5585-X (with SSP-10 or SSP-20) running ASA software 8.3 or later only one of the units needs to have the Security Plus license purchased and activated in order to use the 10 Gbps ports.

New Member

ASA 5585-X Licensing

Hi Marvin,

Thanks for the response.

Is this unique to the ASA5585?

The ASA5505, 5510, 5512 need the Security lic per ASA in an HA pair?

Regards,

Garry.

Hall of Fame Super Silver

ASA 5585-X Licensing

Correct, Garry.

Since the Security Plus license is required to enable failover at all on the 5505, 5510 and 5512X, you need it on both units in a failover pair.

5585-X (no matter which SSP) all support failover even without Security Plus license. So only one of the units needs it to enable the 10 Gbps interface support.

New Member

ASA 5585-X Licensing

Perfect, thanks Marvin.

Regards,

Garry.

Hall of Fame Super Silver

ASA 5585-X Licensing

You're welcome. Please rate helpful posts.

New Member

Hi All .....Need to know

Hi All .....Need to know ASA5585-S10X-K9  come with ASA5585-SEC-PL    ASA 5585-X Security Plus License  or need to purchase separately ..for Enabling  10G SFP+ Ports

New Member

Hello,

Hello,

Being a techy in a re-seller I have just put the SKU ASA5585-S10X-K9 into the Cisco CCW tool.

And it looks like the license ASA5585-SEC-PL (for 10G port activation) is now not a selectable item but is a default item!

The SEC license was a charged item that had to be selected but now its listed at zero cost as default.

Hope this helps,

Garry,

New Member

I have attached the Bill of

I have attached the Bill of Materials, I have deleted the costs but the column named Included Item show the SEC-PL on line 1.9 as Included. And is at zero cost.

All the NO's in the Included Item column are selected such as software and power cable etc.

New Member

Line Number

Line Number Item Name Description Service Duration Included Item Quantity
1.0 ASA5585-S10X-K9 ASA 5585-X Chas with SSP10,8GE,2SFP+,2GE Mgt,2 AC,3DES/AES N/A No 1
1.0.1 CON-OSP-A85S1XK9 SNTC-24X7X4OS  ASA 5585-X Chas with SSP10,8GE,2SFP,2GE 12.0 month(s) No 1
1.1 ASA5585-BLANK-HD ASA 5585-X Hard Drive Blank Slot Cover N/A Yes 2
1.2 ASA5585-BLANK-F ASA 5585-X Full Width Blank Slot Cover N/A Yes 1
1.3 SF-ASA-X-9.1-K8 ASA 9.1 Software image for ASA 5500-X Series,5585-X & ASA-SM N/A No 1
1.4 CAB-BS1363-C19-UK BS-1363 to IEC-C19 14ft UK N/A No 2
1.5 ASA5585-PWR-AC ASA 5585-X AC Power Supply N/A Yes 1
1.6 ASA-SSP-10-INC ASA 5585-X SSP-10 with 8GE,2SFP, incl with bundle N/A Yes 1
1.7 ASA5500-ENCR-K9 ASA 5500 Strong Encryption License (3DES/AES) N/A Yes 1
1.8 ASA5585-PWR-AC ASA 5585-X AC Power Supply N/A Yes 1
1.9 ASA5585-SEC-PL ASA 5585-X Security Plus License (Enables 10G SFP+ Ports) N/A Yes 1
14646
Views
19
Helpful
35
Replies
CreatePlease login to create content