According to Cisco, one of the ASAs must have an Unrestricted License http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml:
"On the PIX/ASA Security appliance platform, at least one of the units must have an unrestricted (UR) license. The other unit can have a Failover Only Active-Active (FO_AA) license, or another UR license. Units with a Restricted license cannot be used for failover, and two units with FO_AA licenses cannot be used together as a failover pair."
I am unfamiliar with the different ASA licenses, so I am wondering if someone here can help me confirm my suspicion that, with my current license, I am unable to enable failover on my two ASAs. Here is a snippet of the "show version" output on one of my ASAs (they are the same as far as licenses go):
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 250
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 5
GTP/GPRS : Disabled
SSL VPN Peers : 10
Total VPN Peers : 5000
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5550 VPN Premium license.
Thank you in advance for any assistance.
Solved! Go to Solution.
What version of software is running on the ASA pair? Generally speaking, if the 2 units have the same licensed features in the output of 'show version', failover will work fine (assuming the licenses support failover, which yours does).
Hope that helps.
This particualr requirement was only for PIX devices, for ASA you just need to have the same license installed on both units.
Have a look at the doc below to clear out your doubts:
ASA configuration guide:
You need not have a UR license only, just that the license should be same on both units.