Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Number of licenses uses by multiple security contextes

Hi out there

We are going to deploy a active/active setup of 2 ASA 5585's. Here we will implement a concept of security zones through context's where different services will be firewalled through a seperate firewall context. Now my question - will a security context consume 1 or 2 licenses because we are running in a Active/active setup?  Right now I got completely confused when my manager asked me that question...

I would say that we only use on security context license - but since we are running in a active/active setup - even though the other instance is standby - will it consume a context license? We are using ASA OS 8.4.x

best regards /ti

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Number of licenses uses by multiple security contextes

Some additional clarification - context licenses CAN be distributed among cluster members. However, each configured context - whether Active or Standby - takes up a context license. The examples I got were as follows:

So if one firewall has 5 active and 15 standby, and the other has 15 active and 5 standby, then you will have to have 40 total context licenses in the cluster license.  With the 8.3+ cluster license, though you can have more configured contexts on one firewall than it has local licensing, the total number of configured contexts on both firewalls can not exceed the cluster license.  So if you've got 12 configured contexts on one and 18 on the other, you must have 30 total context licenses between the two even if one may only have a 10 context license.

Hope this helps!

5 REPLIES
Hall of Fame Super Silver

Number of licenses uses by multiple security contextes

Context licenses are not shared. Each device in the cluster must have its own context licenses.

Also note that if you are wanting to use any shared feature licenses, that is incompatible with an Active-Active cluster. Reference.

New Member

Number of licenses uses by multiple security contextes

Hi Marvin

Are you sure ? on the same page it is stated that:

–You have two ASA 5540 ASAs, one with 20 contexts and the other with 10 contexts; the combined license allows 30 contexts. For Active/Active failover, one unit can use 18 contexts and the other unit can use 12 contexts, for example, for a total of 30; the combined usage cannot exceed the failover cluster license (in this case, 30).

•For licenses that have a status of enabled or disabled, then the license with the enabled status is used.

•For time-based licenses that are enabled or disabled (and do not have numerical tiers), the duration is the combined duration of both licenses. The primary unit counts down its license first, and when it expires, the secondary unit starts counting down its license. This rule also applies to Active/Active failover, even though both units are actively operating.

Hall of Fame Super Silver

Number of licenses uses by multiple security contextes

Thanks for pointing out the additional information. It is pretty confusing.

I may have misspoke in saying they are not shared as they apparently can be divided across that active-active pair. I'm not entirely clear about all the implications of that.

I'm going to go back to the drawing board and consult with my contacts at Cisco on this particular question prior to muddying the waters further.

Hall of Fame Super Silver

Re: Number of licenses uses by multiple security contextes

Some additional clarification - context licenses CAN be distributed among cluster members. However, each configured context - whether Active or Standby - takes up a context license. The examples I got were as follows:

So if one firewall has 5 active and 15 standby, and the other has 15 active and 5 standby, then you will have to have 40 total context licenses in the cluster license.  With the 8.3+ cluster license, though you can have more configured contexts on one firewall than it has local licensing, the total number of configured contexts on both firewalls can not exceed the cluster license.  So if you've got 12 configured contexts on one and 18 on the other, you must have 30 total context licenses between the two even if one may only have a 10 context license.

Hope this helps!

New Member

Re: Number of licenses uses by multiple security contextes

hi again

yes thanks for the reply - this is also what I have concluded - I just shortly got a bit confused by the term "active/active" - we have only been running in a active/standby-setup until now

best regards /ti

424
Views
0
Helpful
5
Replies
CreatePlease login to create content