Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
691
Views
5
Helpful
5
Replies

ASA Active/Standby Shared Security License

Go to solution
johnlloyd_13
Level 9
Level 9

‎02-11-2018 07:58 PM - edited ‎02-21-2020 07:20 AM

hi,

i'm going to configure an ASA5525-X Active/Standby FW pair with multiple security context. my question is, do i need to install both FW with the same security license (i only got 1x 20-SC license) or just 1 SC license will do (on the active FW)?

will standby FW "inherit" the security context count when it failover? 

 

i saw this link and says 8.3+ no longer needs identical licenses but it's not clear and it doesn't explicitly says for my scenario for A/S FW with multiple security contexts.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/intro_license.html#wp1315746%0A

Failover License Requirements and Exceptions

Failover units do not require the same license on each unit.

Older versions of ASA software required that the licenses match on each unit. Starting with Version 8.3(1), you no longer need to install identical licenses. Typically, you buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active. If you have licenses on both units, they combine into a single running failover cluster license.

The exceptions to this rule include:

Security Plus license for the ASA 5505, 5510, and 5512-X—The Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.

Encryption license—Both units must have the same encryption license.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-11-2018 08:52 PM

Installing the licence on one of the units will work.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-11-2018 08:52 PM

Installing the licence on one of the units will work.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Philip D'Ath

‎02-11-2018 09:56 PM

thanks philip!

cisco guide are sometimes not clear or concise.

have u tried it personally? did standby FW took over the security context count (i.e become 20 contexts)?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to johnlloyd_13

‎02-11-2018 10:15 PM

Yes I have and it works fine.

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Philip D'Ath

‎02-11-2018 10:40 PM

hi philip,

hope you don't mind asking another question.

what's the difference between L-ASA-SC-20 vs ASA5500-SC-20?

is L-ASA-SC-20 meant for 5500-X and ASA5500-SC-20 for first-gen 5500?

i usually get L-ASA-SC-20 for ASA5525-X. i'm not sure why the vendor gave me ASA5500-SC-20 and not sure if it will work on a ASA5525-X

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to johnlloyd_13

‎02-11-2018 10:42 PM

I'm not sure sorry.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card