ASA 5512-X CX licensing

Frank Anstoetz · ‎08-05-2013

When i want to use two ASA 5512-X in a failover cluster (Active-Standby), i need two Security PLUS licenses and also two VPN licenses like AnyConnect Essentials:

http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.pdf

Correct so far? But what with CX Feature licenses like L- ASA5515-WS3Y=? Which rule does apply - only one license per cluster needed? Or do i need two?

Thanks & regards

Frank.

Jouni Forss · ‎08-05-2013

Hi,

I only have a single ASA5515 CX firewall setup so havent yet played around with Failover with the new ones + CX

The documentation would seem to indicate that you need Licensing for each ASA CX unit separately. If I am not completely wrong, this was also the case with the old modules. They were separate from the actual ASA Failover

Managing High Availability

Cisco High Availability (HA) enables network-wide protection by providing fast recovery from faults that may occur in any part of the network. With Cisco High Availability, network hardware and software work together and enable rapid recovery from disruptions to ensure fault transparency to users and network applications.

Configuring high availability on ASA CX devices requires two identical units connected to each other through a dedicated failover link, with one active unit passing traffic while the other unit waits in a standby state. The health of the active unit and its interfaces is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs and the standby unit begins processing traffic.

The following conditions must be met in order to configure two ASA CX devices for high availability:

Both units must be the same model, have the same number and types of interfaces, and the same amount of RAM installed.
Both units must be operating in the same mode (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version.
Each ASA CX must have the proper licenses.

Source:

http://www.cisco.com/en/US/docs/security/asacx/9.0/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_0_chapter_004.html#task_F61A932F60754FCBA559D24DA57E8335

- Jouni

Frank Anstoetz · ‎08-06-2013

Thanks for your reply Jouni. This phrase with the "proper licenses" is at least an indication, however, as it is written in a paragraph dealing specifically with HA i am unsure if it applies to VPN licenses as well.

Anybody out there feeling that he/she completely understood modern ASA licensing? ;-)

shillings · ‎08-06-2013

You must license both the active and standby firewall for CX. I double checked with Cisco a few weeks ago, as the cost difference is considerable. As Marvin Rhoads noted on a similar thread last week, all module based featues (IPS, CX etc) require a licence per appliance.

Whereas, with 8.3 onwards, features like AnyConnect Essentials/Premium, Advanced Endpoint Assessment and Botnet Traffic Filter require only one appliance be licenced per active/standby HA pair.

Marvin Rhoads · ‎08-06-2013

Reiterating - yes separate licenses are required per appliance for the module-based features. The wording in the document Jouni quoted could be a bit clearer given the commonality of non-module based licenses but the implication is true. An HA pair of ASAs with CX modules currently requires the AVC and/or WSE licenses to be purchased separately for each appliance's module. Shillings' confirmation from Cisco matches what I have heard from our Cisco CSEs and TMEs.

I wouldn't say I understand it completely but as a Cisco partner I have a good number of resources to draw upon when responding to questions.

Tobias Hilbert · ‎10-22-2013

The release Document of Version 9.2 says the following:

In 9.2(1.1) Build 48, all valid licenses defined on a CX device are imported when you add the device to the PRSM inventory. However, the imported licenses might not be assigned to the imported device. In addition, existing available feature licenses that you uploaded to PRSM might not get automatically assigned. Please be aware of the following rules:

•If the imported device uses application or application type specifications in the traffic matching criteria of any policy, OR there are such policies defined in the Universal CX access policy sets in PRSM, you must have an available AVC license, either a non-evaluation license defined on the device, or an available evaluation or non-evaluation license in PRSM. During import, the AVC license is automatically assigned to the device. Import will fail if you do not have an available AVC license.

May I now assume that all licenses are thrown into a pool and used as needed? So I need only one for a HA scenario?

My test setup with an HA pair shows only one used License

Marvin Rhoads · ‎10-22-2013

Tobias,

Thanks for bringing it to my attention.

It appears this is indeed a new feature for the CX and PRSM 9.2 release. It also includes NGFW IPS - which can run simultaneously with AVC and WSE features on the CX.

Documentation and other collateral material is still lagging. For instance, I'm not sure if you can do this without using off-box PRSM.

Marvin Rhoads · ‎11-16-2013

I had an opportunity this week to talk to our Cisco CSE re this question.

The 9.2 update re CX licensing change is for the off-box PRSM server only. It counts the managed CX units in an HA pair as one unit for pruposes of the PRSM managed device count. (PRSM comes in 5, 10, 25, 50 and 100 managed device license tiers.)

The CX units themselves on the ASA HA pairs still need separate licenses (WSE, AVC and - available as of 9.2 - IPS) for the the features you want to use.