If both firewalls are 5520, and you are doing IPSEC on your ASA's, and if you mean create a failover by saying "If I build them into one cluster".
If this is the case, assuming failover is what you want, you can only do active/standby, which means if you have 2 ASA's with 10 ssl licenses. You can only utilize 10 ssl licenses. Even though you paid for it twice (1 10 user ssl license for each ASA).
Thats just my understanding of it.
Our target is to build a VPN cluster to serve SSL access. IPSec access is not our concern.
As described from datasheet, SSL lincense will be sum up within one VPN cluster. Thus, should have totally 14 license(2+2+10)? As ASA5200-BUN-K9 bundled with 2 SSL licenses.
I suspect that you may have 12 licenses rather than 14. When I recently installed the activation keys for the optional extra SSL licenses that we bought then the original "free" 2 licenses went away and the number of licenses on the ASA was exactly the number that we had purchased.
I am not so sure what the cluster does with SSL VPN sessions but I have been testing the clustering with IPSec VPN and it has a very nice load balancing implementation. When a connection request is received the cluster active ASA looks at the load on all cluster members. If there is a member whose load is 1 % less than the others then this is the member that gets the new session.
So in your case I would certainly make sure that the ASA with more licenses is the active member. It gets the first sessions. But at some point it will start sending sessions to the other member and when you get past 2 SSL VPN sessions then you have a problem.
Thanks Rick for your helpful input. I guest the outcome of licensing for SSL VPN is the same as IPSec VPN. BTW, which version are you using? My calculation is based on config. document of v8.0.
The ASA datasheet clearly says the licenses will be summed and shared within a VPN cluster for 5520. Thus, I do not expect license problem after 2 SSL VPN connection is made.
BTW, do we need a heartbeat link for clustered devices? I am quite confuse with the description of A/S and load balancing.
I am running 8.0.4. It is my understanding that license sharing for SSL VPN is to be implemented in an upcoming release. If you can show me something in the 8.0 config documents that says it is already implemented I would be very happy to see it.
The following description is from ASA datasheet and did not specify versions. So I assume it is working at 8.0 already.
Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Businesses can scale up to 750 SSL VPN peers on each Cisco ASA 5520 by installing an SSL VPN upgrade license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can also be increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, supporting a maximum of 7500 SSL VPN peers or 7500 IPsec VPN
peers per cluster.
In a previous post you said:"The ASA datasheet clearly says the licenses will be summed and shared within a VPN cluster for 5520." My reading of the data sheet (and my experience of using the ASA) is that the licenses are summed (if you have 10 ASAs with 750 licenses per machine then you can support 7500 sessions). But I do not see the data sheet saying that the licenses are shared. The data sheet talks about load balancing (and my experience is that this does work pretty well). But I do not see the data sheet saying that licenses are shared. (load sharing and license sharing are certainly not the same)