Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1079
Views
0
Helpful
7
Replies

ASA License

Go to solution
joe.ho
Level 1
Level 1

‎09-09-2010 10:48 AM - edited ‎03-11-2019 11:38 AM

I am setting up a secondary ASA. From what I see the license between both ASAs are different but they guy who purchase the license said it will work. From what I understand it doesn't look right. Can someone please confirm will setting up the failover work with the licenses doesn't match exact or what is the minimum match in order to have the failover work.

Pirmary

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 50       
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 0        
GTP/GPRS                     : Disabled 
SSL VPN Peers                : 25       
Total VPN Peers              : 250      
Shared License               : Disabled
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
AnyConnect Essentials        : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Phone Proxy Sessions      : 50       
Total UC Proxy Sessions      : 50       
Botnet Traffic Filter        : Disabled

Secondary

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs               : 25       
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
Security Contexts           : 0        
GTP/GPRS                    : Disabled 
VPN Peers                   : 150   

Thanks for you input.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to joe.ho

‎09-09-2010 11:41 AM

Yes, you need to have a matching feature set in 8.2.

In 8.3 you can share VPN users license on the units.

I hope it makes sense.

PK

View solution in original post

0 Helpful

Go to solution
Allen P Chen
Level 5
Level 5
In response to joe.ho

‎09-09-2010 12:07 PM

Hello,

The Security Plus license is missing from the Primary ASA, which is why failover is not supported.  Please take a look at the "High-availability support" section in the link below, notice that failover is not supported unless it has the Security Plus license:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Hope this helps.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Allen P Chen
Level 5
Level 5

‎09-09-2010 11:07 AM

Hello,

It looks like failover is disabled on the Primary ASA, so failover will not work:

Pirmary

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 50       
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 0        
GTP/GPRS                     : Disabled 
SSL VPN Peers                : 25       
Total VPN Peers              : 250      
Shared License               : Disabled
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
AnyConnect Essentials        : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Phone Proxy Sessions      : 50       
Total UC Proxy Sessions      : 50       
Botnet Traffic Filter        : Disabled

Are the two ASAs running the same software version?  Which license is installed on both units?  In the output of "show version", there should be something that states "This platform has an ASA.......license".

Please advise.

0 Helpful

Go to solution
joe.ho
Level 1
Level 1
In response to Allen P Chen

‎09-09-2010 11:18 AM

Good catch about the version. Sorry I didn't post the correct one. Here they are.

Primary

TOR-FW1# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"

TOR-FW1 up 142 days 1 hour

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is 0024.97fa.e49c, irq 9
1: Ext: Ethernet0/1         : address is 0024.97fa.e49d, irq 9
2: Ext: Ethernet0/2         : address is 0024.97fa.e49e, irq 9
3: Ext: Ethernet0/3         : address is 0024.97fa.e49f, irq 9
4: Ext: Management0/0       : address is 0024.97fa.e4a0, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5
             
Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 50       
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 0        
GTP/GPRS                     : Disabled 
SSL VPN Peers                : 25       
Total VPN Peers              : 250      
Shared License               : Disabled
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
AnyConnect Essentials        : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Phone Proxy Sessions      : 50       
Total UC Proxy Sessions      : 50       
Botnet Traffic Filter        : Disabled

This platform has a Base license.

Secondary

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 9 secs

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is c84c.7552.110a, irq 9
1: Ext: Ethernet0/1         : address is c84c.7552.110b, irq 9
2: Ext: Ethernet0/2         : address is c84c.7552.110c, irq 9
3: Ext: Ethernet0/3         : address is c84c.7552.110d, irq 9
4: Ext: Management0/0       : address is c84c.7552.110e, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5
             
Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 100      
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled 
SSL VPN Peers                : 25       
Total VPN Peers              : 250      
Shared License               : Disabled
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
AnyConnect Essentials        : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Phone Proxy Sessions      : 50       
Total UC Proxy Sessions      : 50       
Botnet Traffic Filter        : Disabled

This platform has an ASA 5510 Security Plus license.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to joe.ho

‎09-09-2010 11:30 AM

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 50       
Inside Hosts                 : Unlimited
Failover                     : Disabled

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 100      
Inside Hosts                 : Unlimited
Failover                     : Active/Active

Indeed you have a license issue. Both units will need to have a license that supports failover in order for failover to work.

I hope it helps.

PK

0 Helpful

Go to solution
joe.ho
Level 1
Level 1
In response to Panos Kampanakis

‎09-09-2010 11:34 AM

How about security context and max vlan, will that be an issue if not match? Will they take the lowest value after they setup for failover?

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to joe.ho

‎09-09-2010 11:41 AM

Yes, you need to have a matching feature set in 8.2.

In 8.3 you can share VPN users license on the units.

I hope it makes sense.

PK

0 Helpful

Go to solution
Allen P Chen
Level 5
Level 5
In response to joe.ho

‎09-09-2010 12:07 PM

Hello,

The Security Plus license is missing from the Primary ASA, which is why failover is not supported.  Please take a look at the "High-availability support" section in the link below, notice that failover is not supported unless it has the Security Plus license:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Hope this helps.

0 Helpful

Go to solution
joe.ho
Level 1
Level 1
In response to Allen P Chen

‎09-09-2010 12:18 PM

Thank you very much for all your help. Cheers!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card