Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2731
Views
0
Helpful
8
Replies

ASA-5506X in HA - Base Licence v Security Plus Licence

Go to solution
scawlding1
Level 1
Level 1

ā€Ž09-30-2021 05:12 AM

Hi,

I have 2 x Cisco ASA-5506X, one has a Base Licence and one has a Security Plus Licence, am I able to use these devices in a Active/Standby HA solution?

I've spotted on other feeds (as below) that the licences transfer between devices and I can't see much online about these needing to match but rather Model, Version and Interface number needs to be the same?

 

shortstop20Ā·3y
 

Both units must have the Security Plus license.

 

Adamal47OPĀ·3y
 

I opened a case with Cisco licensing and here was their response.

"I completely understand what your concern is however you got the failover concept just a little bit false. The failover works on the secondary HA it is configured to by mirroring or copying what licenses are on the primary but it doesnā€™t take the license of the primary at all. The licenses stays on the primary but it is also being used by the secondary so all you need to do is configuration. Remove the old secondary from the HA or failover configuration and then add the new secondary on to the failover configuration."

I told him that prior to the purchase of the second ASA there was only a single firewall.

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to scawlding1

ā€Ž09-30-2021 05:43 AM

yes i would expect to be Mirror of the both the device.

 

HA - why we looking HA ? means if one of the device fails, other one become active and do the job as expected with out any further issue.

 

So being said, how if they have 2 different images or different configuration or specification works as expected. Guidelines always suggest to have same 100% similar for better outcome.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to scawlding1

ā€Ž09-30-2021 09:19 AM

Hope information help you, if no further assitance required can we close the issue or you looking any further help on this context ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

ā€Ž09-30-2021 05:16 AM

@scawlding1 Answered on the other thread you responded to, but....

5506-X requires the Security Plus License for HA

https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/general/asa-910-general-config/ha-failover.html#ID-2107-00000379

 

Model

License Requirement

ASA 5506-Xā€Ø and ASA 5506W-X

  • Active/Standbyā€”Security Plus License.

  • Active/Activeā€”No Support.

Note 

Each unit must have the same encryption license.
Add tags
0 Helpful

Go to solution
scawlding1
Level 1
Level 1
In response to Rob Ingram

ā€Ž09-30-2021 05:25 AM

Thanks Rob,

So just to confirm, some failover units do no require the same licence on each unit but in the case of ASA-5506x, this does require the same Security Plus encryption licence on both units for HA to work?

 

Cheers

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to scawlding1

ā€Ž09-30-2021 05:42 AM - edited ā€Ž09-30-2021 05:42 AM

@scawlding1 from that link provided "Failover units do not require the same license on each unit. If you have licenses on both units, they combine into a single running failover cluster license. There are some exceptions to this rule. See the following table for precise licensing requirements for failover. "......the ASA 5506 is an exception.

 

The ASA software version and hardware must be identical versions.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

ā€Ž09-30-2021 05:22 AM

it required and always HA

 

1. both device to be same

2. same Code running

3. Same License.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/ha-failover.html#ID-2107-000003fe

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
scawlding1
Level 1
Level 1
In response to balaji.bandi

ā€Ž09-30-2021 05:39 AM

Hi balaji.bandi

Thanks for confirming on the licencing and sorry to check something else, but is that also the case with the OS?

One device is Firepower Extensible Operating System Version 2.6

Other device is SSP Operating System Version 2.8

 

Thanks 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to scawlding1

ā€Ž09-30-2021 05:43 AM

yes i would expect to be Mirror of the both the device.

 

HA - why we looking HA ? means if one of the device fails, other one become active and do the job as expected with out any further issue.

 

So being said, how if they have 2 different images or different configuration or specification works as expected. Guidelines always suggest to have same 100% similar for better outcome.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
scawlding1
Level 1
Level 1
In response to balaji.bandi

ā€Ž09-30-2021 06:43 AM

Thank you for the clarification

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to scawlding1

ā€Ž09-30-2021 09:19 AM

Hope information help you, if no further assitance required can we close the issue or you looking any further help on this context ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card