Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1428
Views
0
Helpful
3
Replies

Cisco ASA HA - different VPN licenses

J_Vansen_S
Level 3
Level 3

‎07-04-2012 03:22 AM - edited ‎03-11-2019 04:26 PM

We understand that both Units has to be of identical hardware and software, however we are unsure about the licenses between both.

We are running 8.4 version. According to cisco document:

Prerequisites for Active/Standby Failover:

Active/Standby failover has the following prerequisites:

• Both units must be identical security appliances that are connected to each other through a dedicated failover link and, optionally, a Stateful Failover link.

• Both units must have the same software configuration and the proper license.

• Both units must be in the same mode (single or multiple, transparent or routed).

We would like to know what "proper license" means?

Let's say both of my ASA5520 is identical in terms of hardware and software but VPN licenses is different.

Example

ASA1: Anyconnect Essentials VPN (750users)

ASA2: SSL VPN 100 Premium User license

So, my question is. When both units are put in HA mode. Which sets of license do they utilize? OR are they even possible IE make both units in HA mode! without the identical VPN license

Please advise

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-04-2012 03:28 AM

With AnyConnect Essential license and SSL Premium license, you can turn it on and off, so depending on whether you turn the anyconnect essential license on or not, if it's on, then the AnyConnect Essential will be used, and if you disable it, then the SSL Premium license will be used.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/a2.html#wp1721336

0 Helpful

J_Vansen_S
Level 3
Level 3
In response to Jennifer Halim

‎07-04-2012 03:38 AM

HAI! Jennifer,

Thanks for your clarification.

Plz correct me if im wrong.

So, meaning to say if id like to use the SSL VPN Premium license on both units as HA. I would just need to turn Essential off on my ASA2?

Scenario:

Active ASA: with SSL Premium license

Passive ASA: with Anyconnect Essential.

If my active ASA goes down. The passive ASA(with AC Essential turned off) will take over with SSL Premium License. Is that what u mean?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to J_Vansen_S

‎07-04-2012 04:11 AM

Absolutely correct.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card