Solved: Re: ASA Licensing!

Leo_Stobbe · ‎04-12-2007

I have 2 questions:

1.I have 2xASA firewalls with different licenses.

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 150

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 750

WebVPN Peers : 2

This platform has an ASA 5520 VPN Plus license.

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is 0018.195b.ccfa, irq 9

1: Ext: Ethernet0/1 : address is 0018.195b.ccfb, irq 9

2: Ext: Ethernet0/2 : address is 0018.195b.ccfc, irq 9

3: Ext: Ethernet0/3 : address is 0018.195b.ccfd, irq 9

4: Ext: Management0/0 : address is 0018.195b.ccf9, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 50

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : 250

WebVPN Peers : 2

This platform has a Base license.

1. In first output you can see Active/Active failover, even i have configured Active/Standby. Why?

2. In first output you can see that paltform has VPN Plus license, but second one is base license. How it is related with system ASA IOS? Or it is not depends on ASA IOS. Ant licenses are burned to the some chip on ASA, maybe? Can somebody give to me the link with more information about that.

thanks

mark.hodge · ‎04-17-2007

Leo,

As Rick says, there is only one version of PIX/ASA software for each release. Individual features are enabled by a licence key. So what I meant to say was that the 1st device has a licence which gives the capability of 750 simultanious VPN connections, whilst the 2nd can only have 250. The 2nd device also supports fewer VLANS and only one context.

All these features can be upgraded with a new licence key and a reboot, no new software would be required.

View solution in original post

mark.hodge · ‎04-16-2007

1 - Active/Active means the device is "capable" of partisipating in a cluster. It doesn't mean if is currently doing so.

2 - VPN plus determines the number of simulaneous VPN peers, 750 vs 250 on the standard.

Richard Burts · ‎04-17-2007

Leo

For your first question Mark got it exactly, it is reporting what the license is capable of not reporting what you have configured it to do.

For your second question, Cisco has adopted a somewhat different approach with the ASA code as compared to router code in which the feature set determines what capabilities are enabled. In the ASA I believe all the capabilities are included in the code but only features within your license are activated. If you were to upgrade the license I believe that you would get more features available without needing to change the code.

HTH

Rick

HTH

Rick

mark.hodge · ‎04-17-2007

Leo,

As Rick says, there is only one version of PIX/ASA software for each release. Individual features are enabled by a licence key. So what I meant to say was that the 1st device has a licence which gives the capability of 750 simultanious VPN connections, whilst the 2nd can only have 250. The 2nd device also supports fewer VLANS and only one context.

All these features can be upgraded with a new licence key and a reboot, no new software would be required.