A question about the part number for an ASA5525-X failover unit

mat_rouch · ‎09-30-2014

I am looking at purchasing two ASA5525-X firewalls to be used as a failover pair. In the past (a LONG time ago) I seem to recall that there was a different part number for the firewall that was going to be used as the failover unit. I have not been able to find anything like that for the 5525-X. The primary unit would be a ASA5525-IPS-K9, since I want to take advantage of the IPS functionality. Would I need to purchase an identical ASA5525-IPS-K9 to be used as the failover unit, or is there a different part number I should use? I've found several documents online that state that the failover unit inherits the licensed features of the primary unit (for 30 days after the primary unit's failure) but nothing about the part numbers for the original hardware purchase.

Thanks,

-Mat Rouch

Marvin Rhoads · ‎09-30-2014

For the 5525-X, you would use identical part numbers. Each would need an associated Smartnet support contract for their respective IPS modules' subscription-based definitions to update properly. All the other licensing on the Primary - Active unit would convey to the Secondary - Standby in an HA configuration.

Although you didn't ask, if you had the 5512-X entry level model (or older 5505 or 5510) each would need to be ordered with Security Plus licensing to build an HA pair.

I would recommend considering either the FirePOWER or CX module IPS vs the one you mentioned. The ASA5525-IPS-K9 is the legacy Cisco IPS technology that's gradually being phased out in favor of the newer type. While it is indeed still sold, we are encouraging customers to consider adopting the Next Generation Firewall IPS type vs the older one as it covers a more comprehensive threat spectrum.