cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
792
Views
5
Helpful
2
Replies

ASA 5505 Failover license compatible issue

guanbowen
Level 1
Level 1

I am trying to setup a failover ASA 5505 to provide HA to current ASA 5505 in production. 

The following is current failover setup:

###############################

failover
failover lan unit primary
failover lan interface failover Vlan3
failover key *****
failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2

 

###############################

 

The following is the new secondary failover setup:

################################

failover
failover lan unit secondary
failover lan interface failover Vlan3
failover key *****
failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2

################################

 

I am getting the same error on both ASA once I turned on failover:

"failover key Mate's license (Inside Hosts Unlimited) is not compatible with my license (Inside Hosts 2). Failover will be disabled"

 

When I check the license features for both ASA, the following is what I have found different: 

1. Inside Hosts                   : 10 (secodary) 50(primary)

2. BIOS Flash M50FW080 @ 0xffe00000, 1024KB(secondary)  BIOS Flash Firmware Hub @ 0xffe00000 , 1024KB

 

Both of them are running ASA software 8.2(5) and same RAM, same Flash. 

 

I am sure Inside hosts difference is one of the reasons why failover couldn't be built up. I need to know if BIOS flash difference will be another problem or not.  

Also, any suggestions how to get this fixed without causing an outage in the network. 

Primary ASA currently is running on NoFailover mode due to this problem and Secondary ASA is plugged in with all cables and turned on.

 

Thanks      

   


 

1 Accepted Solution

Accepted Solutions

In your software-version, both ASAs need the same licenses. The flash is no problem, as it's allowed to have different amount of flash on both ASAs.

The restriction on identical licenses were liftet with version 8.3. With this version, different licenses merge in failover (only SecPlus is needed on both ASAs). So you could upgrade your ASAs to a newer release like 8.4 and then build your HA. But that's a major upgrade that will cause some downtime.

View solution in original post

2 Replies 2

In your software-version, both ASAs need the same licenses. The flash is no problem, as it's allowed to have different amount of flash on both ASAs.

The restriction on identical licenses were liftet with version 8.3. With this version, different licenses merge in failover (only SecPlus is needed on both ASAs). So you could upgrade your ASAs to a newer release like 8.4 and then build your HA. But that's a major upgrade that will cause some downtime.

guanbowen
Level 1
Level 1

Hi Karsten, 

 

Thanks for your reply, I do realize that 8.3+ version software can solve this problem, but I cannot afford the down time for current network. 

I have also confirmed with CISCO that the 2xPAK purchased are different, one has 10 host while the other one has 50. and CISCO confirmed the software upgrade solution as well. 

I am thinking two plans: 

1. using temporary license on backup ASA and build failover first. then turn off primary and upgrade the software. once it is done, turn off fail over on primary and then connect it back to network. after this turn off the secondary one to make the primary ASA running. then upgrade the software on secondary ASA

2. pay upgrade PAK for the secondary ASA and go from there. but I am 100% sure once I turn on failover on primary ASA, it will cause a short outage and I need to restart all my VPN connections. 

 

Any thoughts ?

Review Cisco Networking for a $25 gift card