Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Failover FWSM 4.1(6)

Hi everybody.


I have a problem with the failover FWSM. I have a structure with two switches 6500 and each having a FWSM. I updated the FWSM to 4.1 (6) in the both, but when I try to enable failover got the following error:

First FWSM:

Mate's license (Failover Disabled) is not compatible with my license (Failover Enabled). Failover will be disabled.

Mate's license (VPN-DES Disabled) is not compatible with my license (VPN-DES Enabled). Failover will be disabled.

Mate's license (VPN-3DES-AES Disabled) is not compatible with my license (VPN-3DES-AES Enabled). Failover will be disabled.

Mate's license (2 Contexts) is not compatible with my license (20 Contexts). Failover will be disabled.

Mate's license (0 Contexts) is not compatible with my license (100 Contexts). Failover will be disabled.

Second FWSM:

Mate's license (Failover Enabled) is not compatible with my license (Failover Disabled). Failover will be disabled.

Mate's license (VPN-DES Enabled) is not compatible with my license (VPN-DES Disabled). Failover will be disabled.

Mate's license (VPN-3DES-AES Enabled) is not compatible with my license (VPN-3DES-AES Disabled). Failover will be disabled.

Mate's license (20 Contexts) is not compatible with my license (2 Contexts). Failover will be disabled.

Mate's license (100 Contexts) is not compatible with my license (0 Contexts). Failover will be disabled.

Is necessary that I have the same license to enable failover?

Do not just update only the system?

Thanks!!!

Everyone's tags (1)
3 REPLIES
Red

Failover FWSM 4.1(6)

Hi Anderson,

Yes, it is absolutely necessary that you have the same license on the 2 boxes, it should not take you much time, just download the 3DES license from the site below and you should be good. Install it on your FWSM whihc has it disabled, its free of cost:

https://tools.cisco.com/SWIFT/LicensingUI/ipsCryptoPage

You would also need to have the exact same license for the contexts as well, for which you would need to contact licensing@cisco.com

Refer to this doc as well:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html#wp1053685

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: Failover FWSM 4.1(6)

Rao,

Thanks for the reply.


However, I have another question. See the description of the licenses below for each box:

First box:

Licensed features for this platform:

Maximum Interfaces          : 1000

Inside Hosts                     : Unlimited

Failover                            : Active/Active

VPN-DES                        : Enabled

VPN-3DES-AES              : Enabled

Cut-through Proxy            : Enabled

Guards                            : Enabled

URL Filtering                   : Enabled

Security Contexts            : 100

GTP/GPRS                     : Disabled

BGP Stub                       : Disabled

Service Acceleration        : Disabled

VPN Peers                     : Unlimited

Second box:

Licensed features for this platform:

Maximum Interfaces          : 300

Inside Hosts                    : Unlimited

Failover                          : Active/Active

VPN-DES                      : Enabled

VPN-3DES-AES            : Enabled

Cut-through Proxy          : Enabled

Guards                         : Enabled

URL Filtering                 : Enabled

Security Contexts          : 2

GTP/GPRS                   : Disabled

BGP Stub                     : Disabled

Service Acceleration      : Disabled

VPN Peers                   : Unlimited

It's the same right? What changes is only the fields:

- Maximum Interfaces

- Security Contexts


There is another way to check the licenses of my box?

Tks again!!

Red

Failover FWSM 4.1(6)

Yup, you would need even the maximum interface and contexts license to be the same. There is no other way to check license.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
473
Views
0
Helpful
3
Replies
CreatePlease login to create content