cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1018
Views
15
Helpful
4
Replies

ASA CX Failover, PRSM and Licensing

dfedotovs
Level 1
Level 1

Hello,

I'm struggling to get exact information regarding licensing requirements for an ASA 5525-X failover pair with CX (AVC and WSE), managed by an off-box PRSM.

If we want to position such deployment, which licenses are required to accomplish this?

2x 5525-X ASAs

1x PRSM (PRSMV9-SW-5-K9, 5-node license)

1x or 2x AVC+WSE subscriptions?

 

According to PRSM config guide, each ASA needs to have a separate license: http://www.cisco.com/c/en/us/td/docs/security/asacx/9-2/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_2/prsm-ug-asa-ha.html#concept_5B26031C315C4397B2100443FE37AD60

According to the latest Cisco Live slides in "BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA", one single license can be applied to CX HA pair and PRSM will automatically push the CX
license to both the CX devices (page 50).

http://d2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKSEC-2024.pdf

 

Could someone please shed some light into this?

Many Thanks

Dmitri

1 Accepted Solution

Accepted Solutions

ds6123
Level 1
Level 1

Thanks for this thread!  I was running into the same question during a new deployment where I upgraded the PRSM/CX from 9.1 to 9.3 and they relaxed the licensing quite a bit.  The documentation doesn't really mention it except for sneaking it in on page 74 of this:

 

http://www.cisco.com/c/en/us/td/docs/security/asacx/9-3/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_3.pdf

 

"Devices configured for high availability (HA) are shown once, using the logical name for
the pair. HA devices use one license per pair."

View solution in original post

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

The single license reference from BRKSEC-2024 refers to the PRSM licenses. That is, an HA pair of ASAs (including their NetGen services licenses) only consumes a single PRSM device license.

The last I knew - and as was verified by a different Cisco SE - at this time, the ASAs themselves EACH need the AVC and WSE (and IPS for those customers using it) subscription licenses to use those features.

Marvin, many thanks for your reply. This sounds logical but if looking at the context of the second sentence on page 50, I do not see any point of pushing a PRSM license to both ASAs. Also the screenshot included in the slide is an AVC subscription license and not a PRSM one.

Maybe someone from Cisco will be able to confirm this here?

You have also raised some good point about device licensing, it's good to know that a HA pair counts as one device and consumes one PRSM license. Thanks.

 

Marvin Rhoads
Hall of Fame
Hall of Fame

The advice I had been giving earlier (i.e one license per physical unit even in an HA pair) appears to have changed as of CX Software release 9.2. Although I could not find reference to the change in the release notes, the User Guide for 9.2 (and 9.3, released just yesterday 30 June 2014) state:

"HA devices use one license per pair."

 

ds6123
Level 1
Level 1

Thanks for this thread!  I was running into the same question during a new deployment where I upgraded the PRSM/CX from 9.1 to 9.3 and they relaxed the licensing quite a bit.  The documentation doesn't really mention it except for sneaking it in on page 74 of this:

 

http://www.cisco.com/c/en/us/td/docs/security/asacx/9-3/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_3.pdf

 

"Devices configured for high availability (HA) are shown once, using the logical name for
the pair. HA devices use one license per pair."

Review Cisco Networking for a $25 gift card