ASA 5510 Failover & Licensing

edw · ‎02-09-2016

Hi,

I have recently been given a second ASA 5510 firewall and was wondering how the licensing works for using this in a failover solution ?

I already have a ASA 5510 firewall which has Security Plus license and is under maintenance and wanted to try to understand the mud pile which is licensing as there seems to be conflicting information from Cisco Partners regarding this.

Also is it possible in a failover configuaration to have one internet connection on one firewall and another on the other firewall and this failover based on internet connection stats rather than just fialover the firewall itself ?

Thanks

Ed

Boris Uskov · ‎02-09-2016

Hello!

To use failover you need to have SEC Plus license on boths ASAs. SEC Plus license gives you an opportunity to configure Active/Standby and Active/Active failover.

To use IPS redundancy, from my point of view, it is better to connect both ISPs to every ASA in failover. You can configure dual ISP on ASA, using this guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

edw · ‎02-09-2016

Thanks for this - thats not actually a bad idea.

License wise how does this work if I have been given the ASA 5510 ??

Boris Uskov · ‎02-09-2016

So, I advice you to contact with your local Cisco Partner/Reseller and order the following license:

L-ASA5510-SEC-PL=
ASA 5510 Security Plus License w/ HA, GE, more VLANs + conns

After getting the Product Activation Key (PAK) you'll install the license to your new ASA and you'll be able to connect two ASAs in failover configuration.

edw · ‎02-09-2016

Thanks - and if the firewall already has the PAK then its fine to use it ?

Boris Uskov · ‎02-09-2016

If you mean, PAK for SEC Plus license, sure, you can just use it on
www.cisco.com/go/license
and get license-key.

edw · ‎02-09-2016

Sorry I meant the firewall already has the license when I got it.

Boris Uskov · ‎02-09-2016

Ah, ok, no problem. So no additional licenses are required. You can try to configure failover.

edw · ‎02-09-2016

So this doesn't break any licensing conditions or restrictions.

Boris Uskov · ‎02-09-2016

There is one thing, I forgot to mention. If you have IOS version 8.3 and higher - no problem, the majority of licenses will be copied from first ASA to the second one. For example, if you have Anyconnect Essentials and Anyconnect mobile licenses on the first gear, you don't need to buy them for the second ASA in failover.

But, if your IOS version is 8.2 or lower, you need to have absolutely identical set of license on both gears to be able to make a failover.

If we speak about newer gears, for example ASA 5512, ASA5515, those gears can be equipped with additional software modules: older CX module (already End-of-SALE), or newer SFR (SourceFIRE) module. For those additional software modules you have to buy separate set of licenses for every ASA in failover.

edw · ‎02-09-2016

OK - so all I need is the hardware for the second one and not worry about the license ?

I was given the firewall by another charity and just trying to move around the minefield that is Cisco licensing.

Thanks again

Ed

Boris Uskov · ‎02-09-2016

You need software for the first and the second one to be higher then 8.3 version. What is the software version of the first ASA?

edw · ‎02-09-2016

8.4(6) on the first one which we bought and has a software update contract on.

I have the latest 9.1 to put on soon.

Boris Uskov · ‎02-09-2016

Ok, great, so you can upgrade the first one and the second ASA to 9.1 and create a failover pair. No issues with licenses.

edw · ‎02-09-2016

Excellent thanks for you help!