cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7730
Views
0
Helpful
6
Replies

ASA SSL VPN Licensing with Active/Standby failover

tonymitchell
Level 1
Level 1

Regarding the "duplication" of SSL VPN licenses required for two ASA's in active/standby (i.e. both devices must be the same for active/standby to operate)...

I know this question has been asked several times, with the answer being "Yes - both appliances need the same license, even though you can only use a maximum of 50% of the total licenses purchased"... but one person indicated back in June 2009, that Cisco may change this requirement in future releases. My question (mainly directed as Cisco employee's), is whether this rumour has any truth, and that Cisco are looking to allow ASA appliances in active/standby to share SSL VPN licenses?

Thamks,

Tony

6 Replies 6

andrew.prince
Level 10
Level 10

AFAIK - nothing has changed.

johnbroadway
Level 1
Level 1

Hi,

I remember reading something about shared license support for ASA's with V8.2 but I've not had the chance to try it yet.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_bulletin_c25-526545.html states:

Shared license support for SSL VPN: The shared license server device (holding the shared license) and participant devices must be able to communicate with one another on an internal network either directly or through a VPN connection. Each participating device must have a license that enables the shared licensing capability. Shared licenses support the full AnyConnect feature set, including Cisco Secure Desktop and clientless SSL VPN.

hope that helps

John

There apears to be new licensing options for the "Shared License" option.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39.html

This has a minimum of a 500 User License which makes sense, if there is a requiremnt for such a large number of users it would be quite costly duplicating them in a failover pair.

If you look in the new command reference there are a number of commands related to this e.g.

clear configure license-server Clears the shared licensing server configuration.

license-server address Identifies the shared licensing server IP address and shared secret for a participant.

license-server backup address Identifies the shared licensing backup server for a participant.

license-server backup backup-id Identifies the backup server IP address and serial number for the main shared licensing server.

Chris Ingram
Level 1
Level 1

So how did this ever work out?  I have a 5510 that I have configured as a "Shared Licensing Server" which is in DataCenter in a different geographical location than me.  I also have another 5510 here on my desk.  They both have the "ASA 5510 Security Plus license" and I wonder if I can get any benefit by pairing them up in active/standby mode.  I'm not finding any documentation about this, anywhere.

Cisco changed the licensing model a couple of years back so that rather than having a "shared licensing server", paired ASAs that have individual licence packs installed (i.e. 50 SSL VPN licences on each ASA), now count as 100 usable licences, whereas previously you were limited to the number of licences installed on the active ASA (i.e. 50 licences in my previous example).

Regarding Active/Standby configuration, this will be fine, though you'd need to ensure you have a layer 2 link with sufficient bandwidth between the units for failover heartbeats, config replication, http session information etc.

Tony

Sent from Cisco Technical Support iPad App

Thanks for your reply.  I visited this subject almost a year ago and I was told it wouldn't work so I abandoned it.  Now I just want to try it to see it work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: