cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


399
Views
0
Helpful
4
Replies
Highlighted
Beginner

ASA 5510 getting the right pair

Hi, I have a 5510 with security plus on 7.2(3) and I am looking to pick up an economical 2nd unit on eBay to configure as an HA pair A/S. Of course there are quite a few on offer, and the one I am looking at matches fairly closely. My question for the board is how particular is the licensing when comes time to pair them up? Both are Security Plus, and I don't understand why the discrepancies in Max VLAN, security contexts, and a couple of the other parameters.

My reading abt the licensing doesn't indicate different levels of security plus e.g. Max VLAN is just stated as 100. I am thinking that is because the #2 is on 7.0(3). Maybe some of those features were increased in the later versions? But I have no way of checking until I buy it--

The plan will be to upgrade both to 8.2 and bump mine to 1GB to match ... just wanted to make sure I wouldn't be in a situation where they wouldn't pair for some reason. Thanks in advance

Mine

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs               : 100      

Inside Hosts                : Unlimited

Failover                    : Active/Active

VPN-DES                     : Enabled  

VPN-3DES-AES                : Enabled  

Security Contexts           : 2        

GTP/GPRS                    : Disabled 

VPN Peers                   : 250      

WebVPN Peers                : 2        

This platform has an ASA 5510 Security Plus license.

Proposed#2

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs               : 25
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : 150

This platform has an ASA 5510 Security Plus license.

1 ACCEPTED SOLUTION

Accepted Solutions

ASA 5510 getting the right pair

Hello,

Indeed there are some differences that you must fix in order to be able to have a failover pair BUT as you will be increasing the memory.. why dont you go to 8.3 as the licenses restriction will disappear for failover purposes,

the units will now share it instead of compare them

regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

4 REPLIES 4

ASA 5510 getting the right pair

Hello,

Indeed there are some differences that you must fix in order to be able to have a failover pair BUT as you will be increasing the memory.. why dont you go to 8.3 as the licenses restriction will disappear for failover purposes,

the units will now share it instead of compare them

regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Beginner

ASA 5510 getting the right pair

Thank you for the reply. Yes it's the pros and cons isn't it  - I have only this one ASA to support and had read some threads about 8.3 being more of a major/breaking changes kind of upgrade. So... I was thinking of only going to 8.2 so as not to have that fight.

But if the licensing is going to be a stumbling block I will definitely consider it (8.3).

I just did some more searching and found Table 10 at the following link which shows the release history http://www.cisco.com/en/US/docs/security/asa/asa80/license/license80.html#wp95122

This explains the Maximum VLANs for example, and I would expect it to jump up to 100 on the newer release. Also the WebVPN. I suspect security contexts will jump up to 2 with the newer release also, but i can't confirm that from the table. Was there any specific item you thought might need a license to be purchased separately from the Security Plus?

Beginner

ASA 5510 getting the right pair

Read enough posts and eventually things become clear. https://supportforums.cisco.com/thread/2195557

This guy was looking at a similar scenario with respect to the numbers. He was on 7.0(8) and was showing 0 security contexts, upgrading to 8.0(5) broke the logjam. I can see his output after 8.0(5) matches mine, except for the addition of the AnyConnect lines.

Security contexts were introduced in 7.0(1) http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp130567

so I'm kinda surprised they weren't showing up until he loaded 8.0, but who knows.

I will leave this open for another couple days in case anyone has other comments, but I am pretty comfortable going ahead after what I've read, and as you say if it goes balls up I can always go to 8.3 and replicate the licenses.

ASA 5510 getting the right pair

Hello,

Sure, do what you want It's all about you feeling confortable with the solution,

regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC