Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8395
Views
5
Helpful
4
Replies

How many default virtual context counts with ASA 5585 Series

vincent1103
Level 1
Level 1

‎02-14-2012 05:45 PM - last edited on ‎03-25-2019 05:48 PM by Community Manager

Hi All:

I prepare replace FWSM to ASA 5585 Series,but I confuse the default virtual context counts on ASA 5585.

I used 3 virtual contexts on my old FWSM(1 admin context with 2 contexts).According the ASA configuration guide below.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1188797

It state the ASA 5585 have default 2 contexts,Does it state the ASA 5585 just have 2 contexts or  1 admin context plus "2" context (3 contexts available)

thks fot your reply

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎02-15-2012 02:42 AM

Hi,

To my understanding even the ASA with the most basic license has 2 context available. "admin" context doesnt take one of these. So basicly you are able to use 2 contexts for your own purposes just like in a FWSM.

Also if youre planning on doing a Failover and run a newer software on the ASA the Failover pair will actually combine those basic 2 Security Context licences and you will have 4 available contexts.

With that you have to take into consideration though that if one of the ASA should happen to fail for some reason, you will only have a limited time to replace the damaged/offline ASA (might have been a month) to keep the combined amount of 4 Security context. And naturally the active ASA cant reboot or it will loose the 2 additional Security Contexts.

- Jouni

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jouni Forss

‎02-15-2012 05:23 AM

If each context is being backed up with one on the failover mate, you still only have two usable contexts (besides admin).

0 Helpful

vincent1103
Level 1
Level 1
In response to Jouni Forss

‎02-15-2012 06:08 AM

Dear Jouni:

                Thks for your reply

                I had 2 FWSM(base license) with A/S inter-chassis failover topology,each FWSM has 3 security context,one  of three security context been                     assign to the "admin" context role.So I can use the 3 security contexts(On active FWSM) for network access control.If the active FWSM have                   damaged,The standby FWSM can handel the access control with no network interuption.

                According your explanation,Do you mean I can not use 2 ASA 5585-X to fulfill my current requirement ??

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to vincent1103

‎02-16-2012 12:01 AM

Hi,

To my understanding the ASA with the most default lisence lets you use 2 Security Contexts to your own purposes. Admin context will always be there on the ASA when running in multiple context mode. Its created when you change your ASA from its default mode (single) to "mode multiple".

In my original post the latter part was just to mention that to my understanding if you use 2 ASAs (almost any model) in failover with a software 8.3 and above the ASA will combine their lisences regarding some values. For example connecting 2 ASAs in Failover which have limit of 2 Security Contexts, they will get combined and the failover will have 4 Security Context limit.

Atleast that is what I see with the "show version" command and this is also what we have been told by a Cisco employee. Ive also been told that if I for example (running 8.3+ OS) buy a 5 Security Context license for the other unit, It will combine the others base license (2 SC) to the others units new license (5 SC) resulting in the combined Security Context limit of 7.

This is what Cisco documentation mentions about Active/Standby  and Active/Active Failover Licensing at version 8.3 and above:

Or you have two ASA 5540 adaptive security  appliances, one with 20 contexts and the other with 10 contexts; the  combined license allows 30 contexts. For Active/Active failover, for example, one unit  can use 18 contexts and the other unit can use 12 contexts, for a total  of 30; the combined usage cannot exceed the failover cluster license.

I've have had 2 ASA5585-X ASAs combined in A/A Failover running 8.4(2) and they have atleast showed that they have the combined Security Context limit of 4 Security Contexts

Heres a partial output of the "show version" command on the ASAs in question when they were just out of the box combined in Failover with no other configurations other than running in multiple context mode and management configuration in admin context.

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 1024           perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10000          perpetual
Total VPN Peers                   : 10000          perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
10GE I/O                          : Disabled       perpetual
Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 1024           perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 4              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 4              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10000          perpetual
Total VPN Peers                   : 10000          perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 4              perpetual
Total UC Proxy Sessions           : 4              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
10GE I/O                          : Disabled       perpetual

Though I still suggest confirming all these things from the people/company that youre acquiring the ASA(s) from so you get what youre asking for. Or someone from Cisco could confirm this on these forums.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card