Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
5
Replies

Number of licenses uses by multiple security contextes

Go to solution
tiwang
Level 3
Level 3

‎02-06-2012 06:20 AM - edited ‎03-11-2019 03:24 PM

Hi out there

We are going to deploy a active/active setup of 2 ASA 5585's. Here we will implement a concept of security zones through context's where different services will be firewalled through a seperate firewall context. Now my question - will a security context consume 1 or 2 licenses because we are running in a Active/active setup?  Right now I got completely confused when my manager asked me that question...

I would say that we only use on security context license - but since we are running in a active/active setup - even though the other instance is standby - will it consume a context license? We are using ASA OS 8.4.x

best regards /ti

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Marvin Rhoads

‎02-09-2012 04:12 PM

Some additional clarification - context licenses CAN be distributed among cluster members. However, each configured context - whether Active or Standby - takes up a context license. The examples I got were as follows:

So if one firewall has 5 active and 15 standby, and the other has 15 active and 5 standby, then you will have to have 40 total context licenses in the cluster license.  With the 8.3+ cluster license, though you can have more configured contexts on one firewall than it has local licensing, the total number of configured contexts on both firewalls can not exceed the cluster license.  So if you've got 12 configured contexts on one and 18 on the other, you must have 30 total context licenses between the two even if one may only have a 10 context license.

Hope this helps!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-06-2012 06:46 AM

Context licenses are not shared. Each device in the cluster must have its own context licenses.

Also note that if you are wanting to use any shared feature licenses, that is incompatible with an Active-Active cluster. Reference.

0 Helpful

Go to solution
tiwang
Level 3
Level 3
In response to Marvin Rhoads

‎02-06-2012 07:07 AM

Hi Marvin

Are you sure ? on the same page it is stated that:

–You have two ASA 5540 ASAs, one with 20 contexts and the other with 10 contexts; the combined license allows 30 contexts. For Active/Active failover, one unit can use 18 contexts and the other unit can use 12 contexts, for example, for a total of 30; the combined usage cannot exceed the failover cluster license (in this case, 30).

•For licenses that have a status of enabled or disabled, then the license with the enabled status is used.

•For time-based licenses that are enabled or disabled (and do not have numerical tiers), the duration is the combined duration of both licenses. The primary unit counts down its license first, and when it expires, the secondary unit starts counting down its license. This rule also applies to Active/Active failover, even though both units are actively operating.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tiwang

‎02-06-2012 07:39 AM

Thanks for pointing out the additional information. It is pretty confusing.

I may have misspoke in saying they are not shared as they apparently can be divided across that active-active pair. I'm not entirely clear about all the implications of that.

I'm going to go back to the drawing board and consult with my contacts at Cisco on this particular question prior to muddying the waters further.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Marvin Rhoads

‎02-09-2012 04:12 PM

Some additional clarification - context licenses CAN be distributed among cluster members. However, each configured context - whether Active or Standby - takes up a context license. The examples I got were as follows:

So if one firewall has 5 active and 15 standby, and the other has 15 active and 5 standby, then you will have to have 40 total context licenses in the cluster license.  With the 8.3+ cluster license, though you can have more configured contexts on one firewall than it has local licensing, the total number of configured contexts on both firewalls can not exceed the cluster license.  So if you've got 12 configured contexts on one and 18 on the other, you must have 30 total context licenses between the two even if one may only have a 10 context license.

Hope this helps!

0 Helpful

Go to solution
tiwang
Level 3
Level 3
In response to Marvin Rhoads

‎02-09-2012 11:32 PM

hi again

yes thanks for the reply - this is also what I have concluded - I just shortly got a bit confused by the term "active/active" - we have only been running in a active/standby-setup until now

best regards /ti

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card