04-12-2010 12:05 PM - edited 03-11-2019 10:31 AM
I have 2 ASA configured for Active/Standby... however, when I issued the "failover" command, i get the following message on both ASA.
Mate's license (VPN-3DES-AES Enabled) is not compatible with my license (VPN-3DES-AES Disabled). Failover will be disabled.
Both ASA are running the identical image verified by sh ver.
the cabling is fine as both side can ping each other on the failover ip...
Yes, I did it on the management interface but I have done that on previously ASA and no issues.
Anybody seen this ? Thanks all !
ASA 1 config
failover lan unit primary
failover lan interface failover-link Management0/0
failover link failover-link Management0/0
failover interface ip failover-link 1.1.1.1 255.255.255.252 standby 1.1.1.2
ASA 2 config
failover lan unit secondary
failover lan interface failover-link Management0/0
failover link failover-link Management0/0
failover interface ip failover-link 1.1.1.1 255.255.255.252 standby 1.1.1.2
ASA 1 :
LN-ASA-1# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
LN-ASA-1 up 4 days 4 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 0024.972b.e1b2, irq 9
1: Ext: GigabitEthernet0/1 : address is 0024.972b.e1b3, irq 9
2: Ext: GigabitEthernet0/2 : address is 0024.972b.e1b4, irq 9
3: Ext: GigabitEthernet0/3 : address is 0024.972b.e1b5, irq 9
4: Ext: Management0/0 : address is 0024.972b.e1b1, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Disabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
ASA 2:
ciscoasa(config)# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 58 mins 25 secs
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 0022.5597.0f30, irq 9
1: Ext: GigabitEthernet0/1 : address is 0022.5597.0f31, irq 9
2: Ext: GigabitEthernet0/2 : address is 0022.5597.0f32, irq 9
3: Ext: GigabitEthernet0/3 : address is 0022.5597.0f33, irq 9
4: Ext: Management0/0 : address is 0022.5597.0f34, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: xxxxx
Solved! Go to Solution.
04-12-2010 03:57 PM
VPN-3DES-AES license is free, just get the license from the following:
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y
(choose: Cisco ASA 3DES/AES License)
04-12-2010 12:13 PM
Hi,
There's one ASA with 3DES-AES enabled and the other has the license disabled.
In order to do failover, the hardware and the licenses on both units should be the same.
Federico.
04-12-2010 12:39 PM
Hi,
You can either get the identical license for both the ASA devices.
OR
Try Upgrading to ASA version 8.3.
In version 8.3, Failover licenses no longer need to be identical on each unit. Non-identical failover licenses support is available.
However, while upgrading you need to take into consideration the command changes in 8.3, some of the configs in 8.2 might have to be manually migrated.
04-12-2010 01:04 PM
is there a way to disable VPN-3DES-AES on the license..
It will be a shame to lose it because I'm sure we paid for it somehow ! or go to 8.3 as somebody suggest ?
04-12-2010 03:57 PM
VPN-3DES-AES license is free, just get the license from the following:
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y
(choose: Cisco ASA 3DES/AES License)
05-23-2015 07:17 PM
Hello All
I know this old topic but I need help for the issue that I have on my ASA5505 V13' please.
on my ASA5505 shows the 3DS-AES is disabled, I went to Cisco and get a 3DES License and I did try to activate it, I end up with error (( the activation key is the same as the flash permanent activation-key)).
And when I run the command : ((ssl encryption aes256-sha1 aes128-sha1 3des-sha1)) I get the 3DES/AES algorithm require a VPN-3DES-AES activation key.
Any suggestions please, what I can do??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide