Showing results for 
Search instead for 
Did you mean: 


ASA 5500X - Next Generation Firewall - Cluster Licensing

Hi! I'm working on a BoM for a customer and i need to offer an ASA5525-X pair in HA with AVC and WSE subscritption,

I've two question:

1) In order to use AVC and WSE I need the ASA bundle that includes the SSD HD right? (ASA5525-SSD120-K9)

2) In order to have both ASA's in HA, do i need to order two Suscriptions (ASA5525-AW3Y-PR) or only one that is "shared" in the cluster?




ASA 5500X - Next Generation Firewall - Cluster Licensing

this is "copy and paste" of Cisco Helpline aboutthis problem:


Kindly see answers to your questions below:

1) Correct sizing for customer:
ASA 5512X for many users?
ASA 5515X for many users?

A: ASA CX is sized like a firewall, based on performance/capacity, not number of users. The datasheet in the link below provides the capacity numbers – throughput, maximum connections and connections per second.

The ASA 5512-X can support up to 200 Mbps, 100,000 concurrent connections, and 10,000 connections per second.

The ASA 5515-X can support up to 350 Mbps, 250,000 concurrent connections, and 15,000 connections per second.

Please refer to Table 1 for this information:

2) Product code to order?

Is its correct?

N°1 ASA5512-SSD120-K9
N°1 ASA5512-AW1Y-PR

A: Yes, these part numbers are correct.

For management? that 'is the product code for Cisco Prime Security Manager only one-box ?

A: I’m not sure I understand this question correctly. Each ASA CX comes pre-installed with an “on-box” version of PRSM that can be used to manage a single CX module. This version does not require a separate license. It has limited storage available for event logging and reporting purposes. In all but the most trivial CX deployments, it is recommended that customers procure PRSM central management solution.

3) for failover solution:
What should I buy? There is a failover licenses for the CX? or do I have everything appears twice?

A: In case of failover or high availability (HA) pair, both the primary and secondary CX need their own, individual subscription licenses. Subscription licenses are not shared between primary and secondary CX.

if you how it works in terms of management? and for synchronizing module CX configurations?

A: If you will have ASA-CX high availability, you will need to get the PSRM as standalone. Cisco Prime Security Manager (PRSM) provides multi-device management for ASA and CX devices.

To ensure configuration and policy synchronization, make both devices members of the same PRSM device group. The link below has more details about High Availability for ASA-CX:

Have I answered your questions to your satisfaction? Let me know if you have further questions.