Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 w/AIP - Which service agreement(s) are needed?

Hi guys, I recently purchased an ASA 5520 with the AIP-20-SSM module and I want to take advantage of the IPS services and be covered for a year 24/7.

I've asked two resellers for quotes, and am getting different answers as to what kind of service agreement(s) I need to make sure I'm being covered.

One says I just need the Cisco SMARTnet Onsite Premium ESA (CON-OSP-AS2BUNK9) while another says I need that plus the "Cisco Services for Intrusion Prevention Systems Advance Replacement" (CON-SU3-AS2A20K9).

Do I actually need both, and if so, what do they cover? (Sorry I'm a noob to Cisco products :))


Cisco Employee

Re: ASA 5520 w/AIP - Which service agreement(s) are needed?

Do you know the original part number that was used to purchase the 5520 and AIP-SSM-20?

This original part number will help to determine which contract you need.

The Cisco SMARTnet contract is not correct. SMARTnet contracts cover only the ASA, and do not cover the AIP-SSMs.

For AIP-SSMs you have to purchase a Cisco Services for IPS contract.

The SMARTnet contracts cover both hardware and software.

The Cisco Service for IPS contract covers hardware and software just like SMARTnet but also covered the IPS signature support (which includes the license for signature updates).

The Standard Cisco Service for IPS contracts begin with either:


The SU is for the standard service the SUO is for onsite service.

It is then followed by a number between 1 and 4. The higher the number, the quicker and more response service you are paying for. A 1 is for Next Business Day, while a 4 is for immediate service anytime of the day.

It is then followed by a designator specific to what the original purchased part number was.

CON-SU3-AS2A20K9 sounds like it might be what you need.

The CON-SU lets you know it is a standard Cisco Service for IPS contract (it is NOT for onsite service)

The 3 is for 24x7x4 level of service (you could change this to a 1, 2, or 4 depending on the speed of response you want).

The AS2A20K9 is for the part number ASA5520-AIP20-K9. The ASA5520-AIP20-K9 is a bundle part number that consists of a 5520, SSM-20, and 3DES encryption.

You will want to look back at your original purchase and ensure that ASA5520-AIP20-K9 was the original bundle part number you ordered.

ASA5520-AIP20-K8 is similar but only includes single DES encryption. It's service contract would end in AS2A20K8 (notice the K8 at the end).

The nice thing about a CON-SU3-AS2A20K9 contract is that it actually covers both the SSM AND the ASA. So it covers the IPS hardware, software, and signature license; as well as the ASA hardware and software.

Alternatively you may have actually purchased an ASA bundle and the SSM-20 as a configured Spare (instead of automatically included in the bundle).

In this case you would have bought 2 part numbers originally.

You may have bought ASA5520-BUN-K9 for the original ASA with a 3DES license, and then had a ASA-SSM-AIP-20-K9= or ASA-AIP-20-INC-K9 as well which would have add the AIP-SSM-20 into the ASA as a configured item. So 2 separate part numbers for the ASA and SSM, instead of a single bundle part number.

In this case the SMARTnet contract you were quoted would cover just the ASA5520-BUN-K9 which is just the ASA 5520.

You would then have to buy a Cisco Service for IPS specifically for just the SSM-20.

The contract would be:

CON-SU3-ASIP20K9 and it would only cover the IPS hardware (the SSM), software, and signature license.

Hope this helps.

New Member

Re: ASA 5520 w/AIP - Which service agreement(s) are needed?

Marcabal, thank you very much - The part number for my firewall is the ASA5520-AIP20-K9, so it sounds like the CON-SU3-AS2A20K9 is for me :)

Thanks again!