cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
27303
Views
34
Helpful
35
Replies

ASA 5585-X Licensing

Ashley Sahonta
Level 1
Level 1

Hi,

I have registered the license purchased for the ASA 5585X appliances and have received the following listed as features.

> Failover : Enabled
> Encryption-DES : Enabled
> Encryption-3DES-AES : Enabled
> Security Contexts : 20
> GTP/GPRS : Disabled
> AnyConnect Premium Peers : Default
> Other VPN Peers : Default
> Advanced Endpoint Assessment : Disabled
> AnyConnect for Mobile : Disabled
> AnyConnect for Cisco VPN Phone : Disabled
> Shared License : Disabled
> UC Phone Proxy Sessions : Default
> Total UC Proxy Sessions : Default
> AnyConnect Essentials : Disabled
> Botnet Traffic Filter : Disabled
> Intercompany Media Engine : Disabled
> 10GE I/O Plus : Disabled

I require 10 GE interfaces and the appliance has been licensed for 10Gb (I think).

Is this something that has to be activated?

1 Accepted Solution

Accepted Solutions

...by the way Security Plus license is required to use the 10 Gbps ports:

ASA5585-SEC-PL     ASA 5585-X Security Plus License (Enables 10G SFP+ Ports)

View solution in original post

35 Replies 35

Marvin Rhoads
Hall of Fame
Hall of Fame

What version of ASA software are you running? There is a bug (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti70859) in 8.2(3) that shows similar behavior.

...by the way Security Plus license is required to use the 10 Gbps ports:

ASA5585-SEC-PL     ASA 5585-X Security Plus License (Enables 10G SFP+ Ports)

...and by the way, on an HA pair you only need one Security Plus license for the pair to activate the 10 Gbps interfaces on a 5585-X with SSP-10 (assuming 8.3 or later code)

That is not the case, except for 5585-X, the Sec Plus license is required on BOTH units in an HA configuration.

Please note my post specificially says I am talking about the 5585-X with SSP 10.

Hey Marvin! Hope you're doing well. So if we have a 5585-X SSP10 active/standby then we're good to go with the SEC-PLUS license applied to the cluster and activate the onboard 10gig modules? 

-Jake

Hi Jake. According to my reference here's the answer:

Q: In a 5585 Failover Pair, do BOTH units need the Security Plus license to enable the 10Gb ports, or does just ONE of the units need it? 
A: Just one. With 8.3+ the cluster license will cover both units

My source is a briefing on the partner community. If you have partner access you can find it here:

https://communities.cisco.com/docs/DOC-27177

See the Q&A document there. 

hi there.

I am running a pair of 5585-x-ssp20  with 9.1(2) in multi context mode with active/active ( so some contexts active on each node) and looking to purchase the ASA5585-SEC-PL  security plus to get the 10G interfaces operational.

However your notes above combined with the following statement

"Shared licenses are supported only in single context mode, so Active/Active failover is not supported."

thats I found in

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/intro_license.pdf

Leads me to believe i need to buy the security plus license for each of the ASAs

is this correct or are we 100% sure 1 would be enough i the multicontext active active scenario.

any clarity you can provide would be much appreciated.

Craig

Craig,

The shared licenses in the quotation you cite are talking about the VPN shared licenses where there is a member of a VPN cluster acting as a shared license server.

If you have continued doubt, you can request your partner open a Partner Helpdesk ticket whereby Cisco will confirm in writing the license requirements for your specific use case.

When deployed in a HA pair, according to Cisco, the Security Plus license does not failover. That being the case, if you want the 10G ports enabled on the standby unit both would need the license. 

Is the Security Plus license required on the SSP-10 also for using the 10GE ports on the additional IO modules, like ASA5585-NM-4-10GE, or is it only required for the on-board 10GE ports?

Many thanks.

Yes - it is required to use 10 Gbps ports on either the base unit or the additional IO modules.

Many thanks for your answer but I believe I just found evidence to the contrary: this link [1] states that "[...] the Security Plus license enables configuring these interfaces at 10-GE speed. This capability is always enabled on SSP-40 and -60 and on any expansion 10-GE interface modules".

 

[1] http://www.ciscopress.com/articles/article.asp?p=2209314

Hi Andrei,

Yes I agree, so the SEC lic enables 10G for on-board ports, on SSP10's and SSP20's.

SSP40's and SSP60's are unaffected.

Where expansion module ports are always enable for 10G capability. That is what I saw when building a 5585.

Kind Regards,

Garry

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: