cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7482
Views
0
Helpful
4
Replies

ASA high availability licensing

brian.k.clarke
Level 5
Level 5

A customer is currently running a 5520 ASA pair in active/standby HA mode. The devices also have an IPS module, one of them using a temporary (60-day) license.  So, right now, licensing is identical on both ASAs and HA is operational.

The question is what exactly will happen after 60 days, once the temporary license expires?  Does HA shutdown completely once it's determined that the licensing isn't a 100% match any longer, or does it just cripple one feature (such as the IPS module)?

The customer is balking at purchasing SMARTnet for the 2nd ASA, so I need to explain exactly what is going to happen (if anything) once the license on the 2nd ASA drops off...

Thank you!

2 Accepted Solutions

Accepted Solutions

If the license expires your Failover will not suffer any problems. Your ASAs will have the same license and hardware installed. The only problem here is that you will not be able to update the signatures on the AIP-SSM installed on the secondary unit. If the primary unit fails the secondary will take over and work with the current signatures installed on the unit.

I hope this helps.

View solution in original post

depending on the version you could have that scenario with the anyconnect licenses. In version 8.4 there is someting called Shared Licenses:

Here is the explanation:

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/license/license_management/license.html#wp1464911

In other versions the license features need to be the same including Anyconnect. In the case of the AIP-SSM the licenses is for the module not for the ASA so there you won't have that problem.

View solution in original post

4 Replies 4

If the license expires your Failover will not suffer any problems. Your ASAs will have the same license and hardware installed. The only problem here is that you will not be able to update the signatures on the AIP-SSM installed on the secondary unit. If the primary unit fails the secondary will take over and work with the current signatures installed on the unit.

I hope this helps.

Thank you - one point of clarification if I may:

Cisco makes quite the point that hardware and licensing "must be identical" on both boxes in an HA pair.  I think I'm hearing that it isn't really a requirement to bring the HA pair up, but rather to support all of the potential features the standby might have to perform during failover.  Putting this another way - if I had one box with 100 AnyConnect users on it, and the 2nd box had none...  would the HA pair still come alive, and just not provide SSL connectivity during failover?

Thanks again!

depending on the version you could have that scenario with the anyconnect licenses. In version 8.4 there is someting called Shared Licenses:

Here is the explanation:

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/license/license_management/license.html#wp1464911

In other versions the license features need to be the same including Anyconnect. In the case of the AIP-SSM the licenses is for the module not for the ASA so there you won't have that problem.

Great - thanks again!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: