Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13801
Views
0
Helpful
6
Replies

ASA Failover License Requirements

Go to solution
matthewjwilson
Level 1
Level 1

‎05-23-2011 08:57 AM - edited ‎03-11-2019 01:37 PM

According to Cisco, one of the ASAs must have an Unrestricted License http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml:

"On the PIX/ASA Security appliance platform, at least one of the units must have an unrestricted (UR) license.  The other unit can have a Failover Only Active-Active (FO_AA) license,  or another UR license. Units with a Restricted license cannot be used  for failover, and two units with FO_AA licenses cannot be used together  as a failover pair."


I am unfamiliar with the different ASA licenses, so I am wondering if someone here can help me confirm my suspicion that, with my current license, I am unable to enable failover on my two ASAs. Here is a snippet of the "show version" output on one of my ASAs (they are the same as far as licenses go):


Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 250
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 5
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 10
Total VPN Peers                : 5000
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5550 VPN Premium license.

Thank you in advance for any assistance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎05-23-2011 10:00 AM

Hi Matthew,

What version of software is running on the ASA pair? Generally speaking, if the 2 units have the same licensed features in the output of 'show version', failover will work fine (assuming the licenses support failover, which yours does).

Hope that helps.

-Mike

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to mirober2

‎05-23-2011 10:18 AM

Hi Matthew,

This particualr requirement was only for PIX devices, for ASA you just need to have the same license installed on both units.

Have a look at the doc below to clear out your doubts:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/license.html#wp1347447

ASA configuration guide:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1046838

You need not have a UR license only, just that the license should be same on both units.


Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
matthewjwilson
Level 1
Level 1
In response to varrao

‎05-23-2011 10:22 AM

Both of those links you listed return as "Forbidden File or Application" when I try to access them.

0 Helpful

Go to solution
matthewjwilson
Level 1
Level 1
In response to varrao

‎05-23-2011 10:48 AM

Thank you!

0 Helpful

Go to solution
kanchan.sapkota
Level 1
Level 1
In response to matthewjwilson

‎08-08-2013 12:31 AM

dear Matthew,

    Have you kept it in failover now?I have the same situation as yours.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card