topic Paired ASA HA License Activation in Network Security

Paired ASA HA License Activation

Mike.Cifelli — Mon, 13 Jul 2020 20:16:57 GMT

Seeking guidance on an ASA licensing concern. Currently a customer of mine has an RA VPN solution utilizing two 5555-X ASAs that are already paired in HA. New licenses were recently acquired and need to be installed. There has been back and forth with TAC on the process. I was advised that the following process would work:
Login to primary
Break HA (no failover)
Activate lic key
Login to standby
Activate lic key
Back to primary
Enable HA (failover)
Test & confirm
I was also advised that this will result in no service interruption. However, it was also mentioned that we "may" need to reboot. I will be on site for this task in case there are any emergency issues with the RA VPN since most are teleworking. Can anyone confirm the process to activate the new licenses on each ASA while they are already paired in HA or provide suggestions if there is an easier way. Thanks in advance!!

Re: Paired ASA HA License Activation

Marius Gunnerud — Mon, 13 Jul 2020 20:49:01 GMT

What license are you going to install?

And what ASA version are you running?

Re: Paired ASA HA License Activation

Mike.Cifelli — Mon, 13 Jul 2020 20:58:33 GMT

Forgot to include that info, sorry and thanks:
ASA AnyConnect Term
SW ver: 9.12(3)7

Re: Paired ASA HA License Activation

Marius Gunnerud — Mon, 13 Jul 2020 21:08:37 GMT

If you are only adding the AnyConnect license then I do not understand why TAC suggested to break the HA pair.

You need to only add the license to the primary active ASA and the license will sync to the standby. I suggest having a service window for this change, however, there should not be any noticable impact on the users. I have never had to do a restart of an ASA when adding an AnyConnect license, but there is a first time for everything.

Re: Paired ASA HA License Activation

Marius Gunnerud — Mon, 13 Jul 2020 21:11:32 GMT

Some documentation if you want to read:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/intro-license.html#ID-2148-00000a6e

Re: Paired ASA HA License Activation

Marvin Rhoads — Tue, 14 Jul 2020 02:14:14 GMT

My experience matches that of @Marius Gunnerud . I've installed over a hundred AnyConnect license activation keys over the years and never had to touch the HA configuration or reboot.

In ha the licenses sync but f you want to have an independent key on the Secondary unit you can also use your PAK to get an activation-key for it as well.

Re: Paired ASA HA License Activation

Mike.Cifelli — Tue, 14 Jul 2020 12:48:32 GMT

Attempted to install this am. Here is my current situation:
Primary Serial Number: xxxx7ZXR
Running Permanent Activation Key: <key ommitted>

Standby Serial Number: xxxx70KK
Running Permanent Activation Key: <key ommitted>
Running Timebased Activation Key: <key ommitted>

The permanent keys are the new ones getting installed which both primary and standby accepted. However, when I issue a show ver on the standby unit the licenses depict that they expire in 15 days and there is still a running timebased activation key. Not sure if we will be ok once it expires.

Primary output:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 500 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 5000 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual

Standby output:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 500 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 12 15 days
Carrier : Disabled perpetual
AnyConnect Premium Peers : 5000 15 days
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual

Please advise. Thanks!

Re: Paired ASA HA License Activation

Mike.Cifelli — Tue, 14 Jul 2020 18:01:12 GMT

Adding additional info: TAC recently changed their original response as I think there was confusion between us. They claim that once the temporary lic expires the secondary unit will consume the permanent key and there will be no issues. Can you confirm this? Lastly, is there any way to confirm this is true prior to expiration? Would a force failover trigger the activation of the new key on the standby unit? Can I manually remove the current temp lic on the standby unit? TIA

Re: Paired ASA HA License Activation

Marius Gunnerud — Tue, 14 Jul 2020 18:57:07 GMT

I have nevery encountered this particular scenario, but I do not foresee an issue when the time-based license expires. You can deactivate the time-based license by adding the "deactivate" keyword at the end of the activation-key command.

show activation-key

activation-key xxxxx deactivate !(replace xxxxx with the actual key)

You can deactivate the time-based key and then issue a show version on the standby unit. If you want to test, perform a failover to the standby unit.

https://www.ciscopress.com/articles/article.asp?p=2209314&seqNum=2

Re: Paired ASA HA License Activation

Mike.Cifelli — Wed, 15 Jul 2020 13:32:14 GMT

@Marius Gunnerud thanks for the additional info. The deactivation as you suggested of the temp license worked as expected and now both units are running the new licenses! Thanks for the assistance.