cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1022
Views
0
Helpful
3
Replies

Cisco ASA CX subscription question

ivanov.arseniy
Level 1
Level 1

Hello again,

One fellow asked me a question about Cisco ASA CX subscription and i'm not really sure about the answer i shall give him, so I promised him to discuss this topic here at supportforums.

The thing we were talking about with him was whether you need only one subscription or two of them in a case when you have two asa cx appliances running in active/standby mode.

Can anyone provide some valuable input regarding this or a link to cisco documentation?

Thanks.

Best regards, Arseniy S. Ivanov
3 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

This seems to have the answer (at the end)

Managing High Availability

Cisco High Availability (HA) enables network-wide protection by providing fast recovery from faults that may occur in any part of the network. With Cisco High Availability, network hardware and software work together and enable rapid recovery from disruptions to ensure fault transparency to users and network applications.

Configuring high availability on ASA CX devices requires  two identical units connected to each other through a dedicated  failover link, with one active unit passing traffic while the other unit  waits in a standby state. The health of the active unit and its  interfaces is monitored to determine if specific failover conditions are  met. If those conditions are met, failover occurs and the standby unit  begins processing traffic.

The following conditions must be met in order to configure two ASA CX devices for high availability:

  • Both units must be the same model, have the same number and types of interfaces, and the same amount of RAM installed.
  • Both  units must be operating in the same mode (routed or transparent, single  or multiple context). They must have the same major (first number) and  minor (second number) software version.
  • Each ASA CX must have the proper licenses.

Source:

http://www.cisco.com/en/US/docs/security/asacx/9.1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1_chapter_0100.html#task_F61A932F60754FCBA559D24DA57E8335

- Jouni

View solution in original post

I double checked this with Cisco quite recently and they confirmed the above is correct.

View solution in original post

Right - all the module-based (CX, IPS, CSC-SSM, AIP-SSM) features continue to require separate licenses per appliance.

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

This seems to have the answer (at the end)

Managing High Availability

Cisco High Availability (HA) enables network-wide protection by providing fast recovery from faults that may occur in any part of the network. With Cisco High Availability, network hardware and software work together and enable rapid recovery from disruptions to ensure fault transparency to users and network applications.

Configuring high availability on ASA CX devices requires  two identical units connected to each other through a dedicated  failover link, with one active unit passing traffic while the other unit  waits in a standby state. The health of the active unit and its  interfaces is monitored to determine if specific failover conditions are  met. If those conditions are met, failover occurs and the standby unit  begins processing traffic.

The following conditions must be met in order to configure two ASA CX devices for high availability:

  • Both units must be the same model, have the same number and types of interfaces, and the same amount of RAM installed.
  • Both  units must be operating in the same mode (routed or transparent, single  or multiple context). They must have the same major (first number) and  minor (second number) software version.
  • Each ASA CX must have the proper licenses.

Source:

http://www.cisco.com/en/US/docs/security/asacx/9.1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1_chapter_0100.html#task_F61A932F60754FCBA559D24DA57E8335

- Jouni

I double checked this with Cisco quite recently and they confirmed the above is correct.

Right - all the module-based (CX, IPS, CSC-SSM, AIP-SSM) features continue to require separate licenses per appliance.

Review Cisco Networking for a $25 gift card