02-21-2009 09:43 PM - edited 03-11-2019 07:54 AM
Dear Sir,
I have two ASA5200-BUN-K9, one of them have installed 10 more SSL-VPN license. If I build them into one cluster, how many SSL VPN licenses do I have totally?
Thanks.
Solved! Go to Solution.
02-27-2009 04:43 AM
Joseph
My experience is that licenses stick to individual ASAs. I understand that a feature to share licenses is in development and may appear in a future version of code.
HTH
Rick
02-23-2009 08:22 AM
If both firewalls are 5520, and you are doing IPSEC on your ASA's, and if you mean create a failover by saying "If I build them into one cluster".
If this is the case, assuming failover is what you want, you can only do active/standby, which means if you have 2 ASA's with 10 ssl licenses. You can only utilize 10 ssl licenses. Even though you paid for it twice (1 10 user ssl license for each ASA).
Thats just my understanding of it.
HTH
02-23-2009 06:11 PM
Our target is to build a VPN cluster to serve SSL access. IPSec access is not our concern.
As described from datasheet, SSL lincense will be sum up within one VPN cluster. Thus, should have totally 14 license(2+2+10)? As ASA5200-BUN-K9 bundled with 2 SSL licenses.
Thanks.
02-24-2009 11:56 AM
Joseph
I suspect that you may have 12 licenses rather than 14. When I recently installed the activation keys for the optional extra SSL licenses that we bought then the original "free" 2 licenses went away and the number of licenses on the ASA was exactly the number that we had purchased.
I am not so sure what the cluster does with SSL VPN sessions but I have been testing the clustering with IPSec VPN and it has a very nice load balancing implementation. When a connection request is received the cluster active ASA looks at the load on all cluster members. If there is a member whose load is 1 % less than the others then this is the member that gets the new session.
So in your case I would certainly make sure that the ASA with more licenses is the active member. It gets the first sessions. But at some point it will start sending sessions to the other member and when you get past 2 SSL VPN sessions then you have a problem.
HTH
Rick
02-24-2009 06:13 PM
Thanks Rick for your helpful input. I guest the outcome of licensing for SSL VPN is the same as IPSec VPN. BTW, which version are you using? My calculation is based on config. document of v8.0.
The ASA datasheet clearly says the licenses will be summed and shared within a VPN cluster for 5520. Thus, I do not expect license problem after 2 SSL VPN connection is made.
BTW, do we need a heartbeat link for clustered devices? I am quite confuse with the description of A/S and load balancing.
Thanks,
Joseph
02-25-2009 05:40 AM
Joseph
I am running 8.0.4. It is my understanding that license sharing for SSL VPN is to be implemented in an upcoming release. If you can show me something in the 8.0 config documents that says it is already implemented I would be very happy to see it.
HTH
Rick
02-25-2009 05:43 PM
The following description is from ASA datasheet and did not specify versions. So I assume it is working at 8.0 already.
==========
Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Businesses can scale up to 750 SSL VPN peers on each Cisco ASA 5520 by installing an SSL VPN upgrade license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can also be increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, supporting a maximum of 7500 SSL VPN peers or 7500 IPsec VPN
peers per cluster.
02-26-2009 08:25 PM
Joseph
In a previous post you said:"The ASA datasheet clearly says the licenses will be summed and shared within a VPN cluster for 5520." My reading of the data sheet (and my experience of using the ASA) is that the licenses are summed (if you have 10 ASAs with 750 licenses per machine then you can support 7500 sessions). But I do not see the data sheet saying that the licenses are shared. The data sheet talks about load balancing (and my experience is that this does work pretty well). But I do not see the data sheet saying that licenses are shared. (load sharing and license sharing are certainly not the same)
HTH
Rick
02-26-2009 08:56 PM
Hi Rick,
Do your experience shows that though the load is balanced, license stick to individual ASA?
02-27-2009 04:43 AM
Joseph
My experience is that licenses stick to individual ASAs. I understand that a feature to share licenses is in development and may appear in a future version of code.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: