cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9470
Views
10
Helpful
4
Replies

ASA failover license

avilt
Level 3
Level 3

I have two standalone asa5525-x firewalls,

on both of them the show version command shows failover license as active/active. Can I uses these two to make a active/standby failover pair?

In ASA what are the failover license types? Is it different from PIX?

1 Accepted Solution

Accepted Solutions

sachinga.hcl
Level 4
Level 4

Active/Active failover is only available to ASAs  in multiple context mode. In an Active/Active failover configuration,  both ASAs can pass network traffic.

Active/Standby failover enables you to use a  standby ASA to take over the functionality of a failed unit. When the  active unit fails, it changes to the standby state while the standby  unit changes to the active state.

For Active /Standby in a  multiple context mode, the ASA can fail over  the entire unit (including all contexts) but cannot fail over individual  contexts separately.

In an active/active pair, license quantities (when applicable) are  merged. For example, two 5510s are in an active/active pair with 100 SSL  Premium seats each. The licenses will merge to have a total of 200 SSL  VPNs allowed in the pair. The combined number must be below the platform  limitation. If the count exceeds the platform limit (ex. 250 SSL VPN  connections on a 5510) the platform limit will be used on each.

You can use ACTIVE/STANDBY mode for sure.

You can check your license info under the "show version" and "show activation-key". Here is an example:

Licensed  features for this platform:                              <-----------------FEATURES WHICH ARE AVAILABLE BY YOUR LICENSE

Maximum Physical Interfaces    : 8

VLANs                          : 20, DMZ Unrestricted

Inside Hosts                   : Unlimited

Failover                       : Active/Standby

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

SSL VPN Peers                  : 2

Total VPN Peers                : 25

Dual ISPs                      : Enabled

VLAN Trunk Ports               : 8

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Enabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has an ASA 5505 Security Plus license.    <--------------------- TYPE OF YOUR LICENSE

Serial Number: JMX00000000                                             <------------------SERIAL NUMBER

Running Activation Key: 0x........0x........ 0x........0x........0x.......    <--------- ACTIVATION KEY


ASA# show activation-key

Serial Number:  JMX00000000

Running Permanent Activation Key: 0x------ 0x------ 0x------ 0x------ 0x------ 0x------
Running Timebased Activation Key: 0x'''''' 0x'''''' 0x'''''' 0x'''''' 0x'''''' 0x''''''

Licensing Requirements for Active/Active Failover

#

The following table shows the licensing requirements for this feature:

##


#

Model

#

License Requirement

#

ASA 5505

#

No support.

#

ASA 5510, ASA 5512-X

#

Security Plus License.

#

All other models

#

Base License.

Licensing Requirements for Active/Standby Failover

#

The following table shows the licensing requirements for this feature:

##


#

Model

#

License Requirement

#

ASA 5505

#

Security Plus License. (Stateful failover is not supported).

#

ASA 5510, ASA 5512-X

#

Security Plus License.

#

All other models

#

Base License.

Active/Active Failover

You cannot use Active/Active failover and VPN; if you want to use VPN, use Active/Standby failover.

http://www.cisco.com/en/US/docs/security/asa/asa83/license_standalone/license_management/license.html

Please rate !!

Message was edited by: sachin garg

View solution in original post

4 Replies 4

sachinga.hcl
Level 4
Level 4

Active/Active failover is only available to ASAs  in multiple context mode. In an Active/Active failover configuration,  both ASAs can pass network traffic.

Active/Standby failover enables you to use a  standby ASA to take over the functionality of a failed unit. When the  active unit fails, it changes to the standby state while the standby  unit changes to the active state.

For Active /Standby in a  multiple context mode, the ASA can fail over  the entire unit (including all contexts) but cannot fail over individual  contexts separately.

In an active/active pair, license quantities (when applicable) are  merged. For example, two 5510s are in an active/active pair with 100 SSL  Premium seats each. The licenses will merge to have a total of 200 SSL  VPNs allowed in the pair. The combined number must be below the platform  limitation. If the count exceeds the platform limit (ex. 250 SSL VPN  connections on a 5510) the platform limit will be used on each.

You can use ACTIVE/STANDBY mode for sure.

You can check your license info under the "show version" and "show activation-key". Here is an example:

Licensed  features for this platform:                              <-----------------FEATURES WHICH ARE AVAILABLE BY YOUR LICENSE

Maximum Physical Interfaces    : 8

VLANs                          : 20, DMZ Unrestricted

Inside Hosts                   : Unlimited

Failover                       : Active/Standby

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

SSL VPN Peers                  : 2

Total VPN Peers                : 25

Dual ISPs                      : Enabled

VLAN Trunk Ports               : 8

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Enabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has an ASA 5505 Security Plus license.    <--------------------- TYPE OF YOUR LICENSE

Serial Number: JMX00000000                                             <------------------SERIAL NUMBER

Running Activation Key: 0x........0x........ 0x........0x........0x.......    <--------- ACTIVATION KEY


ASA# show activation-key

Serial Number:  JMX00000000

Running Permanent Activation Key: 0x------ 0x------ 0x------ 0x------ 0x------ 0x------
Running Timebased Activation Key: 0x'''''' 0x'''''' 0x'''''' 0x'''''' 0x'''''' 0x''''''

Licensing Requirements for Active/Active Failover

#

The following table shows the licensing requirements for this feature:

##


#

Model

#

License Requirement

#

ASA 5505

#

No support.

#

ASA 5510, ASA 5512-X

#

Security Plus License.

#

All other models

#

Base License.

Licensing Requirements for Active/Standby Failover

#

The following table shows the licensing requirements for this feature:

##


#

Model

#

License Requirement

#

ASA 5505

#

Security Plus License. (Stateful failover is not supported).

#

ASA 5510, ASA 5512-X

#

Security Plus License.

#

All other models

#

Base License.

Active/Active Failover

You cannot use Active/Active failover and VPN; if you want to use VPN, use Active/Standby failover.

http://www.cisco.com/en/US/docs/security/asa/asa83/license_standalone/license_management/license.html

Please rate !!

Message was edited by: sachin garg

So the ASA license types are active/active & active/standby.

Also if you have an IPS on ASA, we should have asa with IPS license and also a separate IPS license for signature update. Am I correct?

ASA with IPS module is called AIP - SSM module so as to add IPS capability to Cisco ASA box, but with new Series CIsco ASA 5500x the IPS module is IPS SSP inbuilt and external module instertion not needed but to activate this componenent you stil ned license.

To Obtain the details about the ASA 5500-X IPS SSPS.

asa# show module ips details

If I remember correctly, one year support is included with the  bundle, just go to the following link and select the AIP-SSM Module  (Cisco Services for IPS), then put your serial number/contact details on  the next page.

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y

The license that you need would be the IPS Subscription license. It  is not a user base license. The license will allow you to update the IPS  signature to the latest signature pack which is released every few  days.

You  can check if the IPS subscription license is included in your contract  by going to the IDM (IPS GUI), and under licensing, update the license  online. Pls make sure that the IPS management interface has internet  connectivity. Otherwise, you can check with licensing@cisco.com by providing the serial number of the AIP module and ask the licensing  team if they can advise and provide you with the IPS subscription  license if it is already included in the smartnet contract.

Your reseller should either sell you this Cisco Service for IPS  contract OR your reseller may provide their own support contracts..

Both the ASA serial number AND the AIP-SSM serial number will need to be attached to the service contract.

To access your cisco asa AIP ssm Module you can either session to the SSM from the adaptive security appliance (by using the session 1 command)  or you can connect directly to the SSM using SSH or Telnet on its  management interface. Alternatively, you can use ASDM.


To session to the AIP SSM from the adaptive security appliance, perform the following steps:


Step 1 Log in to the adaptive security appliance.

Step 2 Obtain the details about the AIP SSM:

asa# show module 1 details

ASA 5500 Series Security Services Module-10

Model:              ASA-SSM-10

Hardware version:   1.0

Serial Number:      JAB09370212

Firmware version:   1.0(10)0

Software version:   6.0(4)E1

MAC Address Range:  0012.d948.fe73 to 0012.d948.fe73

App. name:          IPS

App. Status:        Up

App. Status Desc:   

App. version:       6.0(4)E1

Data plane Status:  Up

Status:             Up

Mgmt IP addr: 171.69.36.171                                               

Mgmt web ports:     443                                                         

Mgmt TLS enabled:   true                  

asa#

Step 3 Confirm the information.

To access the AIP module from Cisco ASA you have to use following Session command:

Step 1 Enter the session 1 command to session from the ASA 5500 series adaptive security appliance to the AIP SSM:

hostname# session 1

Opening command session with slot 1.

Connected to slot 1. Escape character sequence is 'CTRL-^X'.


Step 2 Enter the username and password. The default username and password are both cisco.

Best Regards

Sachin Garg

email - > Sachin.koenig@gmail.com

HI Sachin,

 

I need your help...please read my post at below mentioned link...

https://supportforums.cisco.com/discussion/12370391/cisco-1921-k9#comment-10122096

 

Thanks,

Sandy

Sandy@wer-wireless.com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: