Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FWSM license downgrade to facilitate failover testing

I have two FWSM in the lab.  I was hoping to conduct some failover testing with these but it seems I have different licenses on them.  One is a 50 context license and the other is a 20.  I'm ok with temporarily downgrading the 50 context to a 20 to get the testing done but I don't know if that is even possible without purchasing the 20 context license.  Is that something Cisco would help with?  Does anyone have any experience with this scenario?  Perhaps this is a better question for our Cisco SE, but I thought I would put it out here first.

Thanks,

DW

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: FWSM license downgrade to facilitate failover testing

You can only take the context license to 3 (the default) by clearing the activation-key on both of them.

conf t

clear activation-key

I'd suggested saving a "sh ver" from both units before doing this.

You can do the failover testing with the default 3 context license in both units and once done you can copy and paste the activation key from the saved "sh ver".

If you absolutely need 20 context or any other number of contexts then your first of seeing your SE is your best bet.

-KS

12 REPLIES
Cisco Employee

Re: FWSM license downgrade to facilitate failover testing

You can only take the context license to 3 (the default) by clearing the activation-key on both of them.

conf t

clear activation-key

I'd suggested saving a "sh ver" from both units before doing this.

You can do the failover testing with the default 3 context license in both units and once done you can copy and paste the activation key from the saved "sh ver".

If you absolutely need 20 context or any other number of contexts then your first of seeing your SE is your best bet.

-KS

Community Member

Re: FWSM license downgrade to facilitate failover testing

Does the default license support failover?

Community Member

Re: FWSM license downgrade to facilitate failover testing

I answered my own question.  The default license does appear to support failover, however, I only have two contexts to use and not three.  One of them gets chewed up by the admin context as well so I really only have 1 usable context.  This will do what I need though I think.  Thanks!!!

Community Member

Re: FWSM license downgrade to facilitate failover testing

Hello,

A little bit different of a question, but I think it relates.

I have two FWSMs in failover mode... in multiple context mode - we have the default number of contexts... Recently we just purchased 20 more contexts and need to apply the key.  Would it be possible to apply the key to the standby FWSM and reboot, then once it's back up, apply the key to the primary unit, failover to the standby, so traffic is now running threw the 2nd unit while rebooting the primary?

Thank you,

Chris

INX, Inc.

Cisco Employee

Re: FWSM license downgrade to facilitate failover testing

Follow the steps in this link

https://supportforums.cisco.com/message/2008230#2008230

that one our forum users provided. I am still in the process of fixing our Cisco document (docId=70390 ) that lists the steps that apparently broke failover in two cases.

-KS

Community Member

Re: FWSM license downgrade to facilitate failover testing

Thanks for the reply.  Is there a way to do what i'm trying to do without an outage?

Chris

Cisco Employee

Re: FWSM license downgrade to facilitate failover testing

Ok I just quickly tested this.

1. Applied license on the secondary/standby - this disabled failover due to license mismatch - sh fail will show pseudo standby

2. write mem on secondary

3. Applied license on Primary/active

4. write mem on Primary

5. enable failover on Primary

6. secondary automatically detects the mate and syncs up.

I tested this on 3.2.x I am sure this will be the same in 4.x as well.

-KS

Community Member

Re: FWSM license downgrade to facilitate failover testing

Thank you very much for testing it for me... Amazing!

Is a reboot required for the activation keys to be effective?

Cisco Employee

Re: FWSM license downgrade to facilitate failover testing

No problem. I just had a pair so was easy to test.

No. I didn't reboot. It wrote to flash.

Once failover looks good.

"sh ver" shows the correct activation key. Then you are welcome to reboot the secondary/standby and make that active and then reload the primary if needed.

-KS

Community Member

Re: FWSM license downgrade to facilitate failover testing

Hello,

I have another question regarding activation keys... on a 5580 - maybe you know the answer !

I have a customer who has purchased a 5580 and 20 contexts.... Once I apply the new key, I should have 20 contexts... If the client purchases 20 more, will the key application be the same as the first instance?  Is it even possible to go to from 2 to 20 to 40??

Thank you,

Chris

INX, Inc.

Cisco Employee

Re: FWSM license downgrade to facilitate failover testing

That is correct. Once you purchase the additional 20 context lincense to go to a total of 40 Cisco will give you another activation key that you need to key in using the activation-key command.

-KS

Community Member

Re: FWSM license downgrade to facilitate failover testing

Ok - this document explains it a little differently - can you have a look and please let me know what you think:

http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html#wp176651

"You cannot add two separate licenses for the same  feature together; for example, if you purchase a 25-session SSL VPN  license, and later purchase a 50-session license, you cannot use 75  sessions; you can use a maximum of 50 sessions."

Thank you,

Chris

1949
Views
0
Helpful
12
Replies
CreatePlease to create content