05-23-2012 04:38 AM - edited 03-11-2019 04:10 PM
Hi everybody.
I have a problem with the failover FWSM. I have a structure with two switches 6500 and each having a FWSM. I updated the FWSM to 4.1 (6) in the both, but when I try to enable failover got the following error:
First FWSM:
Mate's license (Failover Disabled) is not compatible with my license (Failover Enabled). Failover will be disabled.
Mate's license (VPN-DES Disabled) is not compatible with my license (VPN-DES Enabled). Failover will be disabled.
Mate's license (VPN-3DES-AES Disabled) is not compatible with my license (VPN-3DES-AES Enabled). Failover will be disabled.
Mate's license (2 Contexts) is not compatible with my license (20 Contexts). Failover will be disabled.
Mate's license (0 Contexts) is not compatible with my license (100 Contexts). Failover will be disabled.
Second FWSM:
Mate's license (Failover Enabled) is not compatible with my license (Failover Disabled). Failover will be disabled.
Mate's license (VPN-DES Enabled) is not compatible with my license (VPN-DES Disabled). Failover will be disabled.
Mate's license (VPN-3DES-AES Enabled) is not compatible with my license (VPN-3DES-AES Disabled). Failover will be disabled.
Mate's license (20 Contexts) is not compatible with my license (2 Contexts). Failover will be disabled.
Mate's license (100 Contexts) is not compatible with my license (0 Contexts). Failover will be disabled.
Is necessary that I have the same license to enable failover?
Do not just update only the system?
Thanks!!!
05-23-2012 04:45 AM
Hi Anderson,
Yes, it is absolutely necessary that you have the same license on the 2 boxes, it should not take you much time, just download the 3DES license from the site below and you should be good. Install it on your FWSM whihc has it disabled, its free of cost:
https://tools.cisco.com/SWIFT/LicensingUI/ipsCryptoPage
You would also need to have the exact same license for the contexts as well, for which you would need to contact licensing@cisco.com
Refer to this doc as well:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html#wp1053685
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-23-2012 05:04 AM
Rao,
Thanks for the reply.
However, I have another question. See the description of the licenses below for each box:
First box:
Licensed features for this platform:
Maximum Interfaces : 1000
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 100
GTP/GPRS : Disabled
BGP Stub : Disabled
Service Acceleration : Disabled
VPN Peers : Unlimited
Second box:
Licensed features for this platform:
Maximum Interfaces : 300
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
BGP Stub : Disabled
Service Acceleration : Disabled
VPN Peers : Unlimited
It's the same right? What changes is only the fields:
- Maximum Interfaces
- Security Contexts
There is another way to check the licenses of my box?
Tks again!!
05-23-2012 05:28 AM
Yup, you would need even the maximum interface and contexts license to be the same. There is no other way to check license.
Thanks,
Varun Rao
Security Team,
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide