cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13728
Views
0
Helpful
6
Replies

ASA Failover License Requirements

matthewjwilson
Level 1
Level 1

According to Cisco, one of the ASAs must have an Unrestricted License http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml:

"On the PIX/ASA Security appliance platform, at least one of the units must have an unrestricted (UR) license.  The other unit can have a Failover Only Active-Active (FO_AA) license,  or another UR license. Units with a Restricted license cannot be used  for failover, and two units with FO_AA licenses cannot be used together  as a failover pair."


I am unfamiliar with the different ASA licenses, so I am wondering if someone here can help me confirm my suspicion that, with my current license, I am unable to enable failover on my two ASAs. Here is a snippet of the "show version" output on one of my ASAs (they are the same as far as licenses go):


Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 250
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 5
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 10
Total VPN Peers                : 5000
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5550 VPN Premium license.

Thank you in advance for any assistance.

1 Accepted Solution
6 Replies 6

mirober2
Cisco Employee
Cisco Employee

Hi Matthew,

What version of software is running on the ASA pair? Generally speaking, if the 2 units have the same licensed features in the output of 'show version', failover will work fine (assuming the licenses support failover, which yours does).

Hope that helps.

-Mike

Hi Matthew,

This particualr requirement was only for PIX devices, for ASA you just need to have the same license installed on both units.

Have a look at the doc below to clear out your doubts:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/license.html#wp1347447

ASA configuration guide:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1046838

You need not have a UR license only, just that the license should be same on both units.


Thanks,

Varun

Thanks,
Varun Rao

Both of those links you listed return as "Forbidden File or Application" when I try to access them.

Thank you!

dear Matthew,

    Have you kept it in failover now?I have the same situation as yours.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: