Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10814
Views
5
Helpful
9
Replies

Anyconnect License in HA Pair confusion

Go to solution
dan hale
Level 3
Level 3

‎03-22-2017 02:49 PM - edited ‎03-12-2019 02:06 AM

Hello All, I have two Cisco ASA-5525-X in an HA pair. I also have two Anyconnect PAK's of AC-VPNO-100....Do I need to install 1 of each PAK on each of my ASA's which would come out to only 100 Anyconnect since its in an HA pair or do I need to install both of them only on the primary so that I would have 200 Anyconnect license.

I say primary because of this from the below document on Cisco's site:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/license.html#wp1315746

Failover License Requirements

Failover units do not require the same license on each unit.

 

Older versions of adaptive security appliance software required that the licenses match on each unit. Starting with Version 8.3(1), you no longer need to install identical licenses. Typically, you buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active. If you have licenses on both units, they combine into a single running failover cluster license.

Thanks,

Dan

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dan hale

‎03-22-2017 11:33 PM

Yes, that's the recommended approach - redeem both PAKs using the serial number of the primary ASA. The HA pair will then have the full 200 licenses.

Sorry but VPN only licenses are not additive. If you need 200 then you need to purchase the a 200 license SKU. You cannot but 2 x 100 or "100 now and 100 later" to accomplish the same result.

Should you ever have to return the primary ASA due to hardware failure (RMA), Cisco licensing team will rehost the licenses for you as part of the service request.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-22-2017 07:48 PM

That reference is a bit older and was published prior to the VPN Only license type becoming available so it does leave some ambiguity.

For active/standby pairs, only the primary headend is required to have a VPN Only license.

This is documented by Cisco in the AnyConnect Licensing FAQ here:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc5

Go to solution
dan hale
Level 3
Level 3
In response to Marvin Rhoads

‎03-22-2017 09:02 PM

Thanks Marvin so if I have two VPN-only license of a 100 should I install them both on the headend device?

Thanks,

Dan

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dan hale

‎03-22-2017 11:33 PM

Yes, that's the recommended approach - redeem both PAKs using the serial number of the primary ASA. The HA pair will then have the full 200 licenses.

Sorry but VPN only licenses are not additive. If you need 200 then you need to purchase the a 200 license SKU. You cannot but 2 x 100 or "100 now and 100 later" to accomplish the same result.

Should you ever have to return the primary ASA due to hardware failure (RMA), Cisco licensing team will rehost the licenses for you as part of the service request.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Marvin Rhoads

‎03-22-2017 11:33 PM

Hi Marvin,

I've never tried it myself, but I've heard that there can't be multiple VPN-Only licenses on one device as they don't stack. Have you seen that working?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Karsten Iwen

‎03-22-2017 11:51 PM

Hi Karsten,

Thanks for pointing that out - you are correct. VPN Only licenses are not additive. It's even pointed out in the FAQ that I linked earler.

I've updated my reply to note that point.

0 Helpful

Go to solution
dan hale
Level 3
Level 3
In response to Marvin Rhoads

‎03-23-2017 09:32 AM

Hi Marvin, so I purchased 2 x 100 VPN only licenses and you pointed out that they are not stackable....should I apply the second VPN only license to my secondary HA so when it fails over?

Am I reading the Cisco documentation correct as to I only need to apply it to the Primary that when it fails over it will use the Primary licensing? What would happen if the Primary completely shuts down?

Thanks,

Dan

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dan hale

‎03-23-2017 07:22 PM

License types that are shared among an HA pair while registered to a Primary-Active member will remain in effect on the Secondary-Active (formerly Secondary-Standby) in the event of that member's failure for up to 30 days after the member is removed.

The expectation is that by that time the Primary member will either be restored to service or replaced by a new unit (with associated license rehosting if it is under a service contract with associated RMA).

0 Helpful

Go to solution
dan hale
Level 3
Level 3
In response to Marvin Rhoads

‎03-27-2017 02:05 PM

Perfect...

Thanks,

Dan

0 Helpful

Go to solution
master_ds
Level 1
Level 1
In response to Marvin Rhoads

‎08-11-2019 10:57 PM

I have 2 Cisco Firepower 2110 NGFW in High Availability (HA) (Active / Standby).

 

If the company has 250 users, do I need to purchase one Cisco AnyConnect 250 User Plus Perpetual License or 2 Cisco AnyConnect 250 User Plus Perpetual licenses?

 

According to the answer from this link:

https://www.cisco.com/c/en/us/td/docs/security/firepower/licensing/faq/firepower-licence-FAQ.html

"Firepower Threat Defense High Availability

Q. What are the license requirements for Firepower Threat Defense devices in a high-availability configuration?

A. There is no specific license required to configure Firepower Threat Defense devices in a high-availability pair. However, each device should have a license for each feature your deployment will use."

 

I have to purchase 2 licenses "AnyConnect 250 User Plus Perpetual"  for each device. Did I understand correctly?

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card