Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA cluster with different license

Dear Sir,

I have two ASA5200-BUN-K9, one of them have installed 10 more SSL-VPN license. If I build them into one cluster, how many SSL VPN licenses do I have totally?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

Re: ASA cluster with different license

Joseph

My experience is that licenses stick to individual ASAs. I understand that a feature to share licenses is in development and may appear in a future version of code.

HTH

Rick

9 REPLIES
Community Member

Re: ASA cluster with different license

If both firewalls are 5520, and you are doing IPSEC on your ASA's, and if you mean create a failover by saying "If I build them into one cluster".

If this is the case, assuming failover is what you want, you can only do active/standby, which means if you have 2 ASA's with 10 ssl licenses. You can only utilize 10 ssl licenses. Even though you paid for it twice (1 10 user ssl license for each ASA).

Thats just my understanding of it.

HTH

Community Member

Re: ASA cluster with different license

Our target is to build a VPN cluster to serve SSL access. IPSec access is not our concern.

As described from datasheet, SSL lincense will be sum up within one VPN cluster. Thus, should have totally 14 license(2+2+10)? As ASA5200-BUN-K9 bundled with 2 SSL licenses.

Thanks.

Hall of Fame Super Gold

Re: ASA cluster with different license

Joseph

I suspect that you may have 12 licenses rather than 14. When I recently installed the activation keys for the optional extra SSL licenses that we bought then the original "free" 2 licenses went away and the number of licenses on the ASA was exactly the number that we had purchased.

I am not so sure what the cluster does with SSL VPN sessions but I have been testing the clustering with IPSec VPN and it has a very nice load balancing implementation. When a connection request is received the cluster active ASA looks at the load on all cluster members. If there is a member whose load is 1 % less than the others then this is the member that gets the new session.

So in your case I would certainly make sure that the ASA with more licenses is the active member. It gets the first sessions. But at some point it will start sending sessions to the other member and when you get past 2 SSL VPN sessions then you have a problem.

HTH

Rick

Community Member

Re: ASA cluster with different license

Thanks Rick for your helpful input. I guest the outcome of licensing for SSL VPN is the same as IPSec VPN. BTW, which version are you using? My calculation is based on config. document of v8.0.

The ASA datasheet clearly says the licenses will be summed and shared within a VPN cluster for 5520. Thus, I do not expect license problem after 2 SSL VPN connection is made.

BTW, do we need a heartbeat link for clustered devices? I am quite confuse with the description of A/S and load balancing.

Thanks,

Joseph

Hall of Fame Super Gold

Re: ASA cluster with different license

Joseph

I am running 8.0.4. It is my understanding that license sharing for SSL VPN is to be implemented in an upcoming release. If you can show me something in the 8.0 config documents that says it is already implemented I would be very happy to see it.

HTH

Rick

Community Member

Re: ASA cluster with different license

The following description is from ASA datasheet and did not specify versions. So I assume it is working at 8.0 already.

==========

Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Businesses can scale up to 750 SSL VPN peers on each Cisco ASA 5520 by installing an SSL VPN upgrade license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can also be increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, supporting a maximum of 7500 SSL VPN peers or 7500 IPsec VPN

peers per cluster.

Hall of Fame Super Gold

Re: ASA cluster with different license

Joseph

In a previous post you said:"The ASA datasheet clearly says the licenses will be summed and shared within a VPN cluster for 5520." My reading of the data sheet (and my experience of using the ASA) is that the licenses are summed (if you have 10 ASAs with 750 licenses per machine then you can support 7500 sessions). But I do not see the data sheet saying that the licenses are shared. The data sheet talks about load balancing (and my experience is that this does work pretty well). But I do not see the data sheet saying that licenses are shared. (load sharing and license sharing are certainly not the same)

HTH

Rick

Community Member

Re: ASA cluster with different license

Hi Rick,

Do your experience shows that though the load is balanced, license stick to individual ASA?

Hall of Fame Super Gold

Re: ASA cluster with different license

Joseph

My experience is that licenses stick to individual ASAs. I understand that a feature to share licenses is in development and may appear in a future version of code.

HTH

Rick

292
Views
0
Helpful
9
Replies
CreatePlease to create content