Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS licensing on Cisco ASA 5510 Active/Standby pair

I have two ASA 5510 appliances in Active/Standby mode.  I am thinking about buying two used IPS modules and installing them.  My question is, does this require me to purchase 1 or 2 IPS licenses?  We are on 8.4 right now, and I see in 8.3 Cisco changed licensing for A/S to where you only need one license and not two.  This is true for VPN licenses anyway, so I was wondering if the same applies to IPS licensing. 

Furthermore, does the single licensing model go as far as only needing one base license for the A/S pair too?  Or is the base license something you have to have two of for an A/S pair?                  

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: IPS licensing on Cisco ASA 5510 Active/Standby pair

Failover doesn't like it f you only have a module in the primary ASA. So you should have two modules. But it's fine if you don't have a subscription-license for your secondary IPS (at least for the system).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
7 REPLIES
VIP Purple

IPS licensing on Cisco ASA 5510 Active/Standby pair

For IPS you need two licenses. The IPS-modules don't know anything that they are running in Failover-ASAs. You also have to configure them separately and there is no config-replication between the modules.

Your second question is not quite clear to me. If you want to run Failover on the 5510, both units need the SecurityPlus license. Without them the two units won't pair to a failover system. After pairing to an FO-system the remaining licenses are shared.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

IPS licensing on Cisco ASA 5510 Active/Standby pair

That unfortunate.  It seems like with the VPN licensing they realized if you were in an active/standby configuration then you should only have to pay for one license, thus the license change in 8.3+ only requires you to purchase one license.  I thought this would have carried over into IPS. 

Beings we haven't failed over to the standby unit in 2 years, would it be possible to install the IPS module in both the active and standby appliances, but just license the one in the active mode?  I don't care if we are running without IPS on the standby if we did have to failover for some amount of time.  Or does having it licensed on one and not the other mess with being in active/standby failover mode?

VIP Purple

Re: IPS licensing on Cisco ASA 5510 Active/Standby pair

only having a license on one IPS will work. These modules are ships in the night, they don't know anything about the other.


Sent from Cisco Technical Support iPad App


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: IPS licensing on Cisco ASA 5510 Active/Standby pair

Thanks for the reply.  So if that's the case then do I need to purchase two physical modules, one for each ASA, and then only license the primary one?  Or could I even get away with only buying one module for the primary ASA and not even putting an "unlicensed" one in the standby?  Or will that cause issues beause the hardware at that point is not identical?

VIP Purple

Re: IPS licensing on Cisco ASA 5510 Active/Standby pair

Failover doesn't like it f you only have a module in the primary ASA. So you should have two modules. But it's fine if you don't have a subscription-license for your secondary IPS (at least for the system).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: IPS licensing on Cisco ASA 5510 Active/Standby pair

Sorry to drop one more question about this, but I'm confused what parts and services I need to purchase for this.  We have a 5510 ASA with security plus license.  I want to install the IPS module and then whatever else I need to have support and get updates for it.  What is the part number for the IPS module and what are the service SKUs I'd need to get for it?

Thanks!

VIP Purple

Re: IPS licensing on Cisco ASA 5510 Active/Standby pair

The Module has the part# ASA-SSM-AIP-10-K9= and the IPS services have the # CON-SU1-ASIP10K9. For the services you can choose one, two or three years. Ask you cisco-partner for "3 for 2" promotions (get three years, pay two years).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
1171
Views
0
Helpful
7
Replies
CreatePlease login to create content