Solved: Re: ASA 5515X Max Contexts in HA Mode

barry · ‎06-05-2013

Hi

Quick question which I haven't been able to find the answer to.

What is the maximum number of contexts a pair of 5515Xs in HA mode can support?

I know each 5515X can have a max of 5 contexts, but does that mean in HA mode a pair can support 10 with license pooling?

Thanks

Barry Hesk
Intrinsic Network Solutions

Julio Carvajal · ‎06-05-2013

Hello Barry,

Just to add:

You are correct, as a maximum (even combined you can have up to 5 security contexts)

So you could have 3 on one asa and 2 on the other (I mean license speaking) but you cannot have 5 on one and 5 on the other because then you will be combining both to get 10 which is not allowed ( limit is 5 )

The second statement is also correct:

When a failover cluster fails and there is one device left, it will maintain the licenses combined for 30 days, afterwards it will loose the combined licenses and staty with it's own,

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jouni Forss · ‎06-05-2013

Hi,

To my understanding the Security Context Licenses should be combined and you should be able to use the combined amount of Security Contexts.

I for example configured 2x ASA5585-X SSP20 with their default licensing when I was setting up the devices to our core network (A/A Failover). As they both had the default 2 Security Contexts, we were able to use total of 4 Security Contexts.

We later bought 50 Security Context license for both so now we have room for a total of 100 Security Context. To my understanding there is the same kind of limitation that there was already in PIX related failover setups. If you were to have the other unit break I think there is some timelimit during which the other hardware has to be replaced for the other device not to loose the combined license limits (not 100% on this thought and didnt check it)

This section seems to give an answer also to this Context question

How Failover Licenses Combine

For failover pairs, the licenses on each unit are combined into a single running failover cluster license. For Active/Active failover, the license usage of the two units combined cannot exceed the failover cluster license.

If you buy separate licenses for the primary and secondary unit, then the combined license uses the following rules:

•For licenses that have numerical tiers, such as the number of sessions, the values from both the primary and secondary licenses are combined up to the platform limit. If both licenses in use are time-based, then the licenses count down simultaneously.

For example:

–You have two ASAs with 10 AnyConnect Premium sessions installed on each; the licenses will be combined for a total of 20 AnyConnect Premium sessions.

–You have two ASA 5520s with 500 AnyConnect Premium sessions each; because the platform limit is 750, the combined license allows 750 AnyConnect Premium sessions.

Note In the above example, if the AnyConnect Premium licenses are time-based, you might want to disable one of the licenses so you do not "waste" a 500 session license from which you can only use 250 sessions because of the platform limit.

–You have two ASA 5540s, one with 20 contexts and the other with 10 contexts; the combined license allows 30 contexts. For Active/Active failover, one unit can use 18 contexts and the other unit can use 12 contexts, for example, for a total of 30; the combined usage cannot exceed the failover cluster license (in this case, 30).

•For licenses that have a status of enabled or disabled, then the license with the enabled status is used.

•For time-based licenses that are enabled or disabled (and do not have numerical tiers), the duration is the combined duration of both licenses. The primary unit counts down its license first, and when it expires, the secondary unit starts counting down its license. This rule also applies to Active/Active failover, even though both units are actively operating.

For example, if you have 48 weeks left on the Botnet Traffic Filter license on both units, then the combined duration is 96 weeks.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.html#wp1353724

Its for the 8.6 software so we know its for the new ASA5500-X series. I am still waiting for my new ASA5515-X

Hope this helps

- Jouni

barry · ‎06-05-2013

Hi Jouni

Thanks for this - this is what I *thought* - I just wanted to confirm. Normally licenses are pooled (giving me a max of 10) - however some licenses - such as AnyConnect Essentials aren't. If I install AnyConnect Essentials on a pair of 5515Xs in HA mode, my combined platform limit is still 250 Essentials clients and not 500. It would be an expensive mistake to make!

Edit: I'm still a little concerned about this. In your example, install 50 context licenses on a pair of 5585Xs is fine as the overall context total of 100 is within the published context limit for the platform of 250. In my case, the stated context limit for a 5515X is 5. I'm worried that if I install 2 x 5 context licenses, I'll still end up with a total count of 5..... As I already have 4 contexts using the default contexts on each box, this would be a very expensive upgrade just to get one additional context.

Barry Hesk

Intrinsic Network Solutions

barry · ‎06-05-2013

P.S. My understand of license pooling is that you have 30 days to replace a failed ASA. After this, the pooled licenses are removed and you go back to your original per platform licenses.

Barry Hesk

Intrinsic Network Solutions

Julio Carvajal · ‎06-05-2013

Hello Barry,

Just to add:

You are correct, as a maximum (even combined you can have up to 5 security contexts)

So you could have 3 on one asa and 2 on the other (I mean license speaking) but you cannot have 5 on one and 5 on the other because then you will be combining both to get 10 which is not allowed ( limit is 5 )

The second statement is also correct:

When a failover cluster fails and there is one device left, it will maintain the licenses combined for 30 days, afterwards it will loose the combined licenses and staty with it's own,

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

barry · ‎06-05-2013

Thanks Julio. Not the answer I was hoping for, but you've confirmed things.

Barry Hesk

Intrinsic Network Solutions

Jouni Forss · ‎06-05-2013

Hi Julio,

Did I understand the documentation incorrectly?

It says the following

–You have two ASA 5540s, one with 20 contexts and the other with 10 contexts; the combined license allows 30 contexts. For Active/Active failover, one unit can use 18 contexts and the other unit can use 12 contexts, for example, for a total of 30; the combined usage cannot exceed the failover cluster license (in this case, 30).

It says the other unit has a 20 SC License and the other 10 License which brings the combined to 30 SC. So in an Active/Active you should be able to use the combined amount of 30 SC spread between the ASAs in the ratio you want as long as it doesnt pass the combined limit of 30?

- Jouni

Jouni Forss · ‎06-05-2013

Ah,

So its more down to device limit in SC rather than the License limit in this case?

ASA5515X just doesnt support more than 5 total while another model with the same license amount could support the combined 10 SCs?

- Jouni

Julio Carvajal · ‎06-05-2013

Hello Jouni,

That's the limit, so even if you combined you will not be able to do it,

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC