03-21-2011 10:17 AM - edited 03-11-2019 01:10 PM
A customer is currently running a 5520 ASA pair in active/standby HA mode. The devices also have an IPS module, one of them using a temporary (60-day) license. So, right now, licensing is identical on both ASAs and HA is operational.
The question is what exactly will happen after 60 days, once the temporary license expires? Does HA shutdown completely once it's determined that the licensing isn't a 100% match any longer, or does it just cripple one feature (such as the IPS module)?
The customer is balking at purchasing SMARTnet for the 2nd ASA, so I need to explain exactly what is going to happen (if anything) once the license on the 2nd ASA drops off...
Thank you!
Solved! Go to Solution.
03-21-2011 10:27 AM
If the license expires your Failover will not suffer any problems. Your ASAs will have the same license and hardware installed. The only problem here is that you will not be able to update the signatures on the AIP-SSM installed on the secondary unit. If the primary unit fails the secondary will take over and work with the current signatures installed on the unit.
I hope this helps.
03-21-2011 10:43 AM
depending on the version you could have that scenario with the anyconnect licenses. In version 8.4 there is someting called Shared Licenses:
Here is the explanation:
In other versions the license features need to be the same including Anyconnect. In the case of the AIP-SSM the licenses is for the module not for the ASA so there you won't have that problem.
03-21-2011 10:27 AM
If the license expires your Failover will not suffer any problems. Your ASAs will have the same license and hardware installed. The only problem here is that you will not be able to update the signatures on the AIP-SSM installed on the secondary unit. If the primary unit fails the secondary will take over and work with the current signatures installed on the unit.
I hope this helps.
03-21-2011 10:34 AM
Thank you - one point of clarification if I may:
Cisco makes quite the point that hardware and licensing "must be identical" on both boxes in an HA pair. I think I'm hearing that it isn't really a requirement to bring the HA pair up, but rather to support all of the potential features the standby might have to perform during failover. Putting this another way - if I had one box with 100 AnyConnect users on it, and the 2nd box had none... would the HA pair still come alive, and just not provide SSL connectivity during failover?
Thanks again!
03-21-2011 10:43 AM
depending on the version you could have that scenario with the anyconnect licenses. In version 8.4 there is someting called Shared Licenses:
Here is the explanation:
In other versions the license features need to be the same including Anyconnect. In the case of the AIP-SSM the licenses is for the module not for the ASA so there you won't have that problem.
03-21-2011 10:44 AM
Great - thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide