Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA CX Failover, PRSM and Licensing

Hello,

I'm struggling to get exact information regarding licensing requirements for an ASA 5525-X failover pair with CX (AVC and WSE), managed by an off-box PRSM.

If we want to position such deployment, which licenses are required to accomplish this?

2x 5525-X ASAs

1x PRSM (PRSMV9-SW-5-K9, 5-node license)

1x or 2x AVC+WSE subscriptions?

 

According to PRSM config guide, each ASA needs to have a separate license: http://www.cisco.com/c/en/us/td/docs/security/asacx/9-2/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_2/prsm-ug-asa-ha.html#concept_5B26031C315C4397B2100443FE37AD60

According to the latest Cisco Live slides in "BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA", one single license can be applied to CX HA pair and PRSM will automatically push the CX
license to both the CX devices (page 50).

http://d2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKSEC-2024.pdf

 

Could someone please shed some light into this?

Many Thanks

Dmitri

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Thanks for this thread!  I

Thanks for this thread!  I was running into the same question during a new deployment where I upgraded the PRSM/CX from 9.1 to 9.3 and they relaxed the licensing quite a bit.  The documentation doesn't really mention it except for sneaking it in on page 74 of this:

 

http://www.cisco.com/c/en/us/td/docs/security/asacx/9-3/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_3.pdf

 

"Devices configured for high availability (HA) are shown once, using the logical name for
the pair. HA devices use one license per pair."

4 REPLIES
Hall of Fame Super Silver

The single license reference

The single license reference from BRKSEC-2024 refers to the PRSM licenses. That is, an HA pair of ASAs (including their NetGen services licenses) only consumes a single PRSM device license.

The last I knew - and as was verified by a different Cisco SE - at this time, the ASAs themselves EACH need the AVC and WSE (and IPS for those customers using it) subscription licenses to use those features.

New Member

Marvin, many thanks for your

Marvin, many thanks for your reply. This sounds logical but if looking at the context of the second sentence on page 50, I do not see any point of pushing a PRSM license to both ASAs. Also the screenshot included in the slide is an AVC subscription license and not a PRSM one.

Maybe someone from Cisco will be able to confirm this here?

You have also raised some good point about device licensing, it's good to know that a HA pair counts as one device and consumes one PRSM license. Thanks.

 

Hall of Fame Super Silver

The advice I had been giving

The advice I had been giving earlier (i.e one license per physical unit even in an HA pair) appears to have changed as of CX Software release 9.2. Although I could not find reference to the change in the release notes, the User Guide for 9.2 (and 9.3, released just yesterday 30 June 2014) state:

"HA devices use one license per pair."

 

New Member

Thanks for this thread!  I

Thanks for this thread!  I was running into the same question during a new deployment where I upgraded the PRSM/CX from 9.1 to 9.3 and they relaxed the licensing quite a bit.  The documentation doesn't really mention it except for sneaking it in on page 74 of this:

 

http://www.cisco.com/c/en/us/td/docs/security/asacx/9-3/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_3.pdf

 

"Devices configured for high availability (HA) are shown once, using the logical name for
the pair. HA devices use one license per pair."

254
Views
15
Helpful
4
Replies
CreatePlease to create content