Solved: Re: Installing AnyConnect Apex Term on ASA 5525X HA pair

N3t W0rK3r · ‎08-23-2018

Hello,

We just obtained L-S-AC-APX-LIC= SVP Cisco AnyConnect Apex Term Lic PAK for our ASA 5525X HA pair.

I went through the registration process and obtained licenses for each of our two ASA's in the HA pair.

My questions are:

1. Do I need to install this new license on each ASA in the pair or just the license for the primary on the primary?

2. Is the installation of this license service impacting??

3. On the PAK under Entitlement Quantity it says 3000, but in the registration email I received it shows that AnyConnect Premium peers is only at 750 (see below). Why the discrepancy?

Failover : Enabled

Encryption-DES : Enabled

Encryption-3DES-AES : Enabled

Security Contexts : Default

GTP/GPRS : Disabled

AnyConnect Premium Peers : 750

Other VPN Peers : Default

Advanced Endpoint Assessment : Enabled

AnyConnect for Mobile : Enabled

AnyConnect for Cisco VPN Phone : Enabled

Shared AnyConnect Premium License server : Disabled

Shared License : Disabled

UC Phone Proxy Sessions : Default

Total UC Proxy Sessions : Default

AnyConnect Essentials : Disabled

Botnet Traffic Filter : Disabled

Intercompany Media Engine : Disabled

IPS Module : Disabled

Cluster License : Disabled

vCPUs : 0

Thanks in advance.

John

Rahul Govindan · ‎08-23-2018

1) Just on the active unit of the HA pair (ideally your primary). Should get synchronized with Standby

2) No impact AFAIK.

3) 5525-X only can do a maximum of 750 Anyconnect sessions. So the peer count will be limited to that.

View solution in original post

Rahul Govindan · ‎08-23-2018

1) Just on the active unit of the HA pair (ideally your primary). Should get synchronized with Standby

2) No impact AFAIK.

3) 5525-X only can do a maximum of 750 Anyconnect sessions. So the peer count will be limited to that.

N3t W0rK3r · ‎08-23-2018

Thank you Rahul.

I just installed the license on the active-primary and the new features are reflected in the output of "show ver" for both the platform and the cluster. When I ran "failover exec standby show ver" from the primary, the features did NOT show up on the platform but does for the cluster. Is this normal and expected?

Thanks.

John

Rahul Govindan · ‎08-23-2018

This is expected. You have not installed a license on the secondary unit, so it only inherits those features when part of the cluster/HA. Make sure you have the AnyConnect image files manually uploaded to both the primary and secondary units. This is not replicated automatically through failover.

N3t W0rK3r · ‎08-23-2018

Thanks again Rahul.

So is there any harm in installing the secondary's license on the secondary? What happens if the primary totally dies and goes offline such that there no longer is an HA pair?

John

Rahul Govindan · ‎08-23-2018

No harm in adding it to the Secondary. It does not come into play until the Primary is down for more than 30 days. If the Primary goes down, the secondary uses the cluster license for 30 days. After 30 days it reverts back to its locally installed license.

N3t W0rK3r · ‎08-23-2018

Perfect!! Thanks so much for the quick responses Rahul! Have a great day.