Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

SSL license upgrade for failover ASA

In order to upgrade the standard 2 user SSL license to 50, do I have to purchase an SSL license for both the active and failover ASA, essentially doubling my cost? I bought one license and loaded it into the active unit and obviously now it wont go into failover mode because the 2 units dont match now. If you have to purchase a license for both, that certainly makes it rediculously expensive to upgrade any license in a failover.


Greg M


Re: SSL license upgrade for failover ASA


As far as I know you do  need to license both ,  PAK issues  activation  key  per firewall serial number...  Im not aware of any other way around it .

You can always write directly and see if there is a way around it.

Although it is not recommended in failover deployment there is  VPN Flex licensing , where you may use temp license in the standby  when becomes active . it sounds  tedious  to keep track of timed base licenses but it may help if money  is an object in purchasing additional 50 SSL lic for the standby . Im not ware of the cost difererces when using flex license compared with permanent lic.

Some basic details here .


Re: SSL license upgrade for failover ASA

Prior to the release of 8.3 code, the failover feature looked at the member ASAs to ensure that the licensing matched.  With 8.3, only one unit needs a valid license.  If one ASA has a 50 user persistent license and then other has the default of 2 users, the total that the HA pair could support is 52.  Remember that in order to upgrade to 8.3, each platform has strict memory requirements many of which will require a memory upgrade.

Re: SSL license upgrade for failover ASA

Topula, indeed excellent info !  I think this is something folks were looking for  prior 8.3 .

CreatePlease to create content