In this doc, it is said

http://www.cisco.com/en/US/docs/security/asa/asa91/license/license_management/license.html

"The combined failover cluster license does not let you pair non-IPS and IPS units. For example,

if you buy the IPS version of the ASA 5515-X (part number ASA5515-IPS-K9) and try to make

a failover pair with a non-IPS version (part number ASA5515-K9), then Cisco will not let you

obtain IPS signature updates for the ASA5515-K9 unit, even though it has an IPS module license

inherited from the other unit."

The way I interpret this is that if you only apply one Licenses to your Active failover, it will enable the IPS software to run on the passive ASA because the license will be inherited.

However you won't be able to apply signatures updates to it.

So the IPS and HA should work with only one license on the cluster with the caveat of outdated signatures when failing over the passive ASA.

Is that correct?

Not really.

To active the IPS feature in an non-IPS model, you need to enable it on the ASA's license.

The licenses we are talking about, are for virtual units apart from the ASAs, the licenses of these virtual devices let them get updates, nothing more.

"...then Cisco will not let you obtain IPS signature updates for the ASA5515-K9 unit..."

It's because the IPS functionality is not even enabled.

Makes sense?

"Cisco will not let you obtain IPS signature updates for the ASA5515-K9 unit, even though it has an IPS module license inherited from the other unit."

This sentence is misleading then.

By saying "Cisco will not let you obtain IPS signature updates" , I assume that the IPS module will run but getting signatures won't be possible.

It should say

"Cisco will not let you start the IPS module even though it has an IPS module license inherited from the other unit."

The paragraph before that one clarifies it:

"You must also purchase a separate IPS signature subscription; for failover, purchase a subscription for each unit" 

The way I understand it,  there is two types of licenses

One that is applied to the ASA and that enables the IPS module.

This license is inherited by the passive ASA on a cluster.

The second one is applied to the module itself to enable siganure updates and is not inherited and so why it is needed to by two. That license comes from a support contract such as CON-SU3-A25IPS9

So I am back to questioning if I need one or two license on the ASA (L-ASA5525-IPS-SSP=).

According to the documentation , it would seem that this license applied to the primary ASA will be inherited and enable me to activate the IPS module on the secondary ASA.

I would then need to get two IPS module license to enable signatures update (using the correct IPS smartnet contract).

Or only get one for the active ASA and leave with the fact that the passive ASA will have an outdated signatures database in case of a failover.

I don't have a couple of 5500-X units to test this myself, but i insist.

The feature is not inheritable.

There are two types of licenses, you need one per unit.

One for the ASA to enable the IPS module and another one to let the now enabled module get the sig updates.

Since the document is somewhat vague, something else could be understood.

There should be a document/table listing the inheritable features.

I guess that the best way to test this, in by trying to recreate the scenario and get the answer you need from the units.

That in case you have a pair of ASAs.

Wondering if this one ever came to a conclusion . 1 or 2 IPS feature licenses we need for the failover cluster?

Sent from Cisco Technical Support iPhone App

You need two licenses.

I would recommend that you contact Cisco Licensing and request 30 day eval license keys so you can see for yourself.

2 for the ASAs which you can get online and two for the IPS modules which you can get from the licensing group.

If you don't care about having the latest IPS signature definiton during testing, then you can do without the IPS licenses.

After that you'll probaly realize that you don't need any licenses at all but rather a different product.