cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

13118
Views
0
Helpful
6
Replies
matthewjwilson
Beginner

ASA Failover License Requirements

According to Cisco, one of the ASAs must have an Unrestricted License http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml:

"On the PIX/ASA Security appliance platform, at least one of the units must have an unrestricted (UR) license.  The other unit can have a Failover Only Active-Active (FO_AA) license,  or another UR license. Units with a Restricted license cannot be used  for failover, and two units with FO_AA licenses cannot be used together  as a failover pair."


I am unfamiliar with the different ASA licenses, so I am wondering if someone here can help me confirm my suspicion that, with my current license, I am unable to enable failover on my two ASAs. Here is a snippet of the "show version" output on one of my ASAs (they are the same as far as licenses go):


Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 250
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 5
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 10
Total VPN Peers                : 5000
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5550 VPN Premium license.

Thank you in advance for any assistance.

1 ACCEPTED SOLUTION
6 REPLIES 6
mirober2
Cisco Employee

Hi Matthew,

What version of software is running on the ASA pair? Generally speaking, if the 2 units have the same licensed features in the output of 'show version', failover will work fine (assuming the licenses support failover, which yours does).

Hope that helps.

-Mike

Hi Matthew,

This particualr requirement was only for PIX devices, for ASA you just need to have the same license installed on both units.

Have a look at the doc below to clear out your doubts:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/license.html#wp1347447

ASA configuration guide:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1046838

You need not have a UR license only, just that the license should be same on both units.


Thanks,

Varun

Thanks,
Varun Rao

Both of those links you listed return as "Forbidden File or Application" when I try to access them.

Thank you!

dear Matthew,

    Have you kept it in failover now?I have the same situation as yours.