Solved: Failover License Sync Between Two ASA 5520

SiJian Bao · ‎06-04-2013

According to the link here:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_license.html#wp1315746

Starting with Version 8.3(1), it no longer needs to install identical licenses. Typically, we only buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active.

So I wanna know if there's some additional configuration to synchronize the licenses such as SSL VPN or Context between the primary one and the second one? Or they can just synchronize by default as soon as I finish the failover configuration and when the primary one gets down, the second one will take over the role including licenses automatically?

Julio Carvajal · ‎06-04-2013

Hello SiJian,

No need for extra configuration, that will be done automatically, and yes, in case of failover the one up will take the license set.

Cool stuff ah?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎06-04-2013

Hello SiJian,

No need for extra configuration, that will be done automatically, and yes, in case of failover the one up will take the license set.

Cool stuff ah?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

SiJian Bao · ‎06-04-2013

Hi Jcarvaja,

Thanks so much for your answer, it's really cool and convenient for deploying.

Julio Carvajal · ‎06-04-2013

Hello Sijian,

Exactly, and just for you to know:

If the failover gets disabled, the unit up and running will maintain the licenses for both of them ( cluster ) for 30 days, then it will be placed into it's default state (if it keep the failover state on failed for 30 days)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Karsten Iwen · ‎06-04-2013

yes, much better then the old licensing!

But not cool if you have a power outage, both ASAs are off and the primary ASA with the licenses doesn't come up for whatever reason. Then you are in trouble. But I assume that licensing@cisco.com can handle that lightning fast, at least my past queries were answered and handled always that way.

Sent from Cisco Technical Support iPad App

pramod · ‎01-10-2014

Karsten - I have an issue in synching the licenses between active and standby firewalls. I have installed the security plus license on the primary firewall and done the failover configurations, but on standby firewall i can't enable the failover commands as the license is not replicated to standby firewall. Earlier both ASA has base version installed. what might be the issue. Does the replication happen automatic? let me know.. how the primary firewall knows the standby inorder to replicate the license?

Karsten Iwen · ‎01-10-2014

The SecurityPlus License is a prerequisite that you need on both firewalls to use failover. After that, you can share licenses between the ASAs. But you cannot share the licenses that you need to enable the sharing.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni