I'm looking at deploying a pair of ASA 5515-X firewalls and would like to use contexts to create virtual firewalls for different purposes. I'd also like to add some resilience by configuring the pair either in active/standby or active/active (not sure which).
I'm looking at using either five or four contexts.
If I want to use five different contexts. Please can you advise what I need to licence for either:
If I want to use four contexts, would I be able to utilise all four without purchasing additional context licences as each ASA comes with two security contexts built-in?
If so, would this only be in an active/active configuration (i.e., two contexts on each ASA), and what would happen if one device failed?
I've done a fair amount of reading on this, but it's pretty confusing, so any help appreciated!
You would need to have 5 Context license on both the devices. You can work with 5 Context license on one device as well but if the other unit does not have 5 Context license , the context replication would not take place.
Thanks and Regards,
Thanks! I've looked at that link and the following text seems relevant:
You have two ASA 5540s, one with 20 contexts and the other with 10 contexts; the combined license allows 30 contexts. For Active/Active failover, one unit can use 18 contexts and the other unit can use 12 contexts, for example, for a total of 30; the combined usage cannot exceed the failover cluster license (in this case, 30).
So, if I buy only one "5 context licence", I would have 5 contexts on one ASA and the default 2 contexts on the second ASA. The above suggests I therefore have a total of 7 contexts and I can split the contexts between both ASAs (e.g., 4 on one, 3 on the second).
This suggests that I don't need to buy 5 context licences for both devices??
Yes , I agree that the license would be combined on the Active unit but if you have only 2 context license on the standby unit , replication would only happen for admin + 2 contexts only. Rest will error out although the contexts would work fine on the active.
This would create issues only when the units failover.
You would not be able to distribute the cluster licenses. It will all be used only on the Active unit.
Thanks and Regards,
Thanks for the comment Vibhor.
Does what you say only apply to Active/Active configurations? What would happen in an Active/Standby with 5 contexts on one ASA and 2 contexts on the secondary?
Also, when you say "admin + 2 contexts", I was under the impression that on a two context ASA, one context was admin and the other context was for use? Is it actually that the admin context is in addition to the two provided by the default configuration?
Just want to make sure that there is no confusion on my comments, as long as the context count on the devices is not more than the cumulative count of licenses on HA, there should not be an issue with the Failover replication.