Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

the ASA failover issue related license .

Hi..

We got the two asa 5540, and we would like to establish failover between them.

but something the problem occured..

first of all, I will show you our license info.

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 200

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 5

GTP/GPRS : Enabled

VPN Peers : 5000

WebVPN Peers : 10

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Enabled

UC Proxy Sessions : 24

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 200

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Disabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 5000

WebVPN Peers : 2

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

as showen above log..

two device license are difference, I know that the asa doesn't match the license each other.

they can't establish failover relation.

Our main purpose that use the asa is for IP SEC VPN connection.

if I sync just VPN-3DES-AES each other. Can I establish the VPN? don't care other item.

your comment would be appreciated.

Thank in advanced.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: the ASA failover issue related license .

Sung, everyone's comments are accurate, but if all you want is to only have Client IPSEC VPN load balancing and fail over between two ASAs, and you are not planning to use them for firewalling/nat, then you don't need to worry about configuring failover. Just enable vpn load balancing mode. VPN load balancing mode doesn't care about matching licenses. Keep in mind that you can't have failover and vpn load balancing enabled at the same time. If you also have some site-to-site VPNs, you can separately configure both ASAs to provide it and setup remote site with backup IPSEC peer (don't forget about IGP+RRI on ASA)

Regards,

Roman

3 REPLIES
Cisco Employee

Re: the ASA failover issue related license .

In order for two ASA's to sync failover all features must match 100%. So, in order for failover to sync (despite your using the ASA's just for VPN purposes), you will need to have VPN-3DES-AES, 5 Security Contexts, GTP Enabled, 10 WebVPN, and 24 UC Proxy Sessiosn on the second Firewall (along with the already matched features).

Hall of Fame Super Silver

Re: the ASA failover issue related license .

Sung

You can not use the ASA for VPN if you establish an active/active failover. You could use the ASA for VPN if you configure it for active/standby (and if you get all the license parameters to match as explained correctly by Kevin).

HTH

Rick

Re: the ASA failover issue related license .

Sung, everyone's comments are accurate, but if all you want is to only have Client IPSEC VPN load balancing and fail over between two ASAs, and you are not planning to use them for firewalling/nat, then you don't need to worry about configuring failover. Just enable vpn load balancing mode. VPN load balancing mode doesn't care about matching licenses. Keep in mind that you can't have failover and vpn load balancing enabled at the same time. If you also have some site-to-site VPNs, you can separately configure both ASAs to provide it and setup remote site with backup IPSEC peer (don't forget about IGP+RRI on ASA)

Regards,

Roman

195
Views
0
Helpful
3
Replies