cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2570
Views
0
Helpful
3
Replies

ASA 5555-X Clustering and Feature Licenses

Edward Brennan
Level 1
Level 1

It is my understanding that duplicate feature licenses are not necessary when using cluster licenses on ASA 5585-x (per http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_cluster.pdf - "Licensing Requirements for ASA Clustering"). 

What about when using the default 2-cluster licenses with ASA 5555-X?  I understand both will require the same encryption licenses but our vendor says duplicate feature licenses (IDS/AMP/URL) are still required but keeps pointing to old failover documentation.   Anyone find any definitive documentation on this?

1 Accepted Solution

Accepted Solutions

You need on both ASAs:

  • Cluster-license (enabled by default)
  • Encryption license (very likely enabled by default)

All other ASA-licenses are shared in the cluster.

IPS/AMP/URL are not licenses that are applied to the ASA, they are applied to Firepower. And the Firepower modules don't share any information or state. The Management center sees two independent modules in your cluster and  you need licenses for both modules to activate them.

View solution in original post

3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

I'm not sure the answer is so clear cut.

Exactly which feature licences are you meaning?

Thank you for your replies.  We are planning on doing IPS and URL.  This is the specific language in the aforementioned cluster configuration document that I am referencing: "A Cluster license is required on each unit. For other feature licenses, cluster units do not require the same license on each unit. If you have feature licenses on multiple units, they combine into a single running ASA cluster license."  This language references 5585-X.  No guidance on feature licenses for other models is specified.  Does the lack of guidance mean licensing works the same way as it did for failover?  Seems like a big assumption especially given the cost.

You need on both ASAs:

  • Cluster-license (enabled by default)
  • Encryption license (very likely enabled by default)

All other ASA-licenses are shared in the cluster.

IPS/AMP/URL are not licenses that are applied to the ASA, they are applied to Firepower. And the Firepower modules don't share any information or state. The Management center sees two independent modules in your cluster and  you need licenses for both modules to activate them.

Review Cisco Networking for a $25 gift card