Solved: Cisco ASA 5520 Failover Unit Anyconnect Licenses

laphil · ‎01-03-2012

So i setup a failover active / passive with 2 ASA5520's

Primary asa has 750 Anyconnect vpn licensing and the secondary asa has 2 Anyconnect licenses

I haven't setup the second asa with the new 750 licenses i purchased but when i do a show version it shows

that the failover licensed features shows 750...

Does this mean i do not have to install the secondary anyconnect licenses on the standby ASA unit?

output of secondary asa

:

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 4              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 27             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 4              perpetual
Total UC Proxy Sessions           : 4              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

Julio Carvajal · ‎01-03-2012

Hello,

here is what you are looking for:

Failover Licenses (8.3(1) and Later)

In Version 8.3(1) and later, failover units do not require the same license on each unit. For earlier versions, see the licensing document for your version.

Failover License Requirements

•Failover units do not require the same license on each unit.

Older versions of adaptive security appliance software required that the licenses match on each unit. Starting with Version 8.3(1), you no longer need to install identical licenses. Typically, you buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active. If you have licenses on both units, they combine into a single running failover cluster license.

•For the ASA 5505 and 5510 adaptive security appliances, both units require the Security Plus license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.

Here is the link if you need more info:

http://tools.cisco.com/squish/a3512

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎01-03-2012

Hello,

here is what you are looking for:

Failover Licenses (8.3(1) and Later)

In Version 8.3(1) and later, failover units do not require the same license on each unit. For earlier versions, see the licensing document for your version.

Failover License Requirements

•Failover units do not require the same license on each unit.

Older versions of adaptive security appliance software required that the licenses match on each unit. Starting with Version 8.3(1), you no longer need to install identical licenses. Typically, you buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active. If you have licenses on both units, they combine into a single running failover cluster license.

•For the ASA 5505 and 5510 adaptive security appliances, both units require the Security Plus license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.

Here is the link if you need more info:

http://tools.cisco.com/squish/a3512

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jcarvalh · ‎06-09-2014

Hello.

Lets say that I install ac-essential on active ASA and that the active ASA has an hardware problem and is shut down. Now I have the secondary ASA as the active and only working firewall. What happens if I need to reboot the secondary ASA? When it comes up, does it still have all licensing inherited initially from active ASA?

Regards,

Joao