cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1163
Views
0
Helpful
4
Replies

ASA 5545 - 8.6 - A/S - license upgrade

mz331wcisco
Level 1
Level 1

Hello

We are planning to upgrade the ASA license in an A/S pair by adding the ASA5500-SC-20= license.

The ASA is 5545 and runs 8.6. According to documentation, after 8.3 version, the ASAs can share a license features and do not require the same license on both boxes.

I run a test in GNS3 with 8.4(2) images and I saw that by adding the 'activation-key' command only on the primary unit did the job as the 'show activation-key' output shows.

In order to be 100% sure would like to verify the following:

  1. Putting the activation-key only on the primary unit is enough and there is no need to do anything else
  2. In case the primary unit is standby, again we have to put the actication-key command on the primary unit (I am asking this because the 'activation-key' command is not listed under the commands that are not replicated to the other unitk, but doesn't make sense to be replicated since the activation-key is 'tied' with the S/N of the device).

Thank you in advance

Regards

Mikis

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

You should be fine activating the license only on the Primary unit in the new post 8.3 software levels.

It doesnt matter which device is Active in the Failover pair. The License should apply whichever device is Active in the setup.

What you have to notice though that IF the Primary device with the License does break down/malfunction/etc the Secondary unit might loose its license aquired from the Primary IF it reboots (and therefore doesnt get the License from the Primary unit which is now broken down)

So to my understanding to play it REALLY safe you would still use Licenses on both units but under normal circumstances and getting a replacing device fast enough in the case of Primary ASA failure you should be fine with single license only.

Also heres a good quote from the 8.6 Configuration Guide for HA setups and their Licensing

Starting with Version 8.3(1), you no longer need  to install identical licenses. Typically, you buy a license only for the  primary unit; for Active/Standby failover, the secondary unit inherits  the primary license when it becomes active. If you have licenses on both  units, they combine into a single running failover cluster license. 

The whole document can be found here

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_license.html#wp1315746

The document also explains what happens when the Primary device is lost or there is problem between the 2 ASAs

- Jouni

Thank you JouniForss for your answer.

Regarding your point 'What you have to notice though that IF the Primary device with the License does break down/malfunction/etc the Secondary unit might loose its license aquired from the Primary IF it reboots (and therefore doesnt get the License from the Primary unit which is now broken down)' I tested in GNS3 and I saw that even when the Secondary unit boots while the Primary unit is down, still knows about the Cluster license and uses the combination of both licenses.

Unless the GNS3 is fooling me I would like to ask you if you have seen/tested this behavior (the Secondary to lose the Cluster combined license if the Primary is down) and under which circumstances might lose the license, or it is just an assumption.

Regards

Mikis

Hi,

I might have been wrong with that operation logic perhaps. I cant say for sure as the documentation doesnt state it exactly or I have just missed it.

In the old PIX failover pair licensing we expirienced a situation where the Secondary device only licensed for FO purpose was the only PIX Active after the Primary PIX broke down. In that case the Secondary wasnt enough alone to handle the role after reboot and caused problems. I was assuming the same logic for the new software and devices. (Reboot causes the loss of functionality if Primary (licensed) unit isnt available)

I assume then that (when referring to the Cisco document) the situation will indeed be that after the Licensed Primary Unit brakes down or looses connectivity otherwise with the Secondary unit that the Secondary unit will be able to act alone for 30 days. In  my opinion the documentation isnt really clear on if a reboot of the Secondary device makes any difference. It just states that the connectivity of the units needs to be restored in 30 days

Heres the quote from the documentation (This is from the same documentation linked above)

If the failover units lose communication for more  than 30 days, then each unit reverts to the license installed locally.  During the 30-day grace period, the combined running license continues  to be used by both units. 

Sounds more to me that the above refers to situation where both units are operational but have lost FO connectivity.

So I cant say for 100% sure if the reboot has an effect on the License on the Secondary ASA in the case where the Primary is completely broken. If the licensing information is stored in some hidden file on the ASA I wonder if the ASA then starts counting down towards the 30 day limit on the Secondary as soon as the connection to the Primary unit is lost because of Primary unit hardware failure.

With ASAs with the new software level I dont have expirience of this situation as during the 5 years that I have been working for the local ISP, we have only had 1 ASA brake down. And in that case the other unit was operation with the license until we got a replacement device and moved the license to the new unit.

- Jouni

OK, fair enough. Thank you very much for sharing your experience

Regards

Mikis

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: