Solved: LICENSE UPGRADE ON ASA FAILOVER PAIR

Jean Paul Enerst · ‎11-06-2014

Hi all,

We have a pair of 5515-X in production, wanted to upgrade the license to support more anyconnect/ mobile users.

The data sheet for the anyconnect: clear mention it's a shared license while the mobility isn't. Knowing that i need the ASA serial number and the PAK to get the new license file from cisco, does that mean i can use the same license on both device? Or if i upgrade one device(active), the stanby device won't get mess up?

Thanks,

Richard Burts · ‎11-07-2014

Thanks for posting the additional information. It does help clarify some things. I assumed that you were already operating AnyConnect and Mobile. But this makes it clear that you have only the built in license for 2 AnyConnect SSL VPN on each ASA and no license for Mobility.

The 25 seat license that you mention will allow you to support 25 concurrent AnyConnect sessions and the single license will allow both ASAs to operate and to support those 25 concurrent users. You would install the license on one ASA (probably the primary ASA) and both ASAs would be able to use the license. (As a note about this remember that only one ASA at a time will be carrying the AnyConnect sessions, which is one of the reasons why only one license is required.)

Perhaps there is some small confusion about the AnyConnect Premium and AnyConnect Essentials licenses. You would use one or the other but you can not operate both Premium license and Essentials license on the same ASA. So since you are ordering the Premium license you do not want the Essentials license.

Also note that if you want to support VPN on mobile devices that you will need the Mobility license for the ASAs.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎11-07-2014

First we need to check on a couple of assumptions:

- the ASA5515X are configured and operating in Active/Standby High Availability operating mode.

- you already have licenses for AnyConnect and Mobility installed and operating.

- you are upgrading the AnyConnect license to support greater number of users.

If these are correct then you should be able to use the serial number of one of the ASA (probably the primary) to generate the PAK/license. You then install the new license on the ASA and the backup will share the new AnyConnect license and continue to use its Mobility license. The standby should not get messed up.

Be aware that this works pretty well as long as both ASA are operational. If something happens and the primary goes out of service (you are doing maintenance or something happens to the primary) the standby will continue to operate using the shared license. But a clock is running and after some time (I do not remember the specifics but it is measured in days not hours) if the primary, with its license, is not back then the standby will effectively have no license and AnyConnect will stop working on the standby.

HTH

Rick

HTH

Rick

Jean Paul Enerst · ‎11-07-2014

Thanks Richard... And i think you are right but i need to confirm...

When i do a show license on the boxes(active and standby)... They both mention Anyconnect premium enable as per below

Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 4              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 4              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 4              perpetual
Total UC Proxy Sessions           : 4              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual

This platform has an ASA 5515 Security Plus license.

So i ordered more license to increase the anyconnect premium number of seat(Mfg#: L-ASA-SSL-25= (quantity 1)). So i assume these 25 seats can be shared between the two ASA, right?

Now as per the anyconnect essention as it's disable in both ASA, so i two licenses(one for each ASA to enable it), right?

Thanks,

Marvin Rhoads · ‎11-07-2014

The part number you mention will give you 25 AnyConnect Premium licenses for the HA pair.

If you use AnyConnect Premium you cannot simultaneously use AnyConnect Essentials. Both may be licensed but you use only one or the other based on your requirements.

In an HA pair the default shows the 2 included Premium licenses (full-featured but mostly for evaluation purposes as most productions VPNs require more than two concurrent users) that ship with all ASAs added together from the primary and secondary unit: 2+2=4.

If the unit to which you apply the license fails, the secondary unit can continue to use the license for 30 days. If you RMA the failed unit under Smartnet support, Cisco will entitle you to rehost the license onto the replacement unit.

Jean Paul Enerst · ‎11-07-2014

Thank you both a lot.

Things are getting clearer now.

Will go ahead and upgrade the premium license in the Active unit.

I will fight with my VAR to change the essential license to the Any connect mobile.

Richard Burts · ‎11-07-2014

Thanks for posting the additional information. It does help clarify some things. I assumed that you were already operating AnyConnect and Mobile. But this makes it clear that you have only the built in license for 2 AnyConnect SSL VPN on each ASA and no license for Mobility.

The 25 seat license that you mention will allow you to support 25 concurrent AnyConnect sessions and the single license will allow both ASAs to operate and to support those 25 concurrent users. You would install the license on one ASA (probably the primary ASA) and both ASAs would be able to use the license. (As a note about this remember that only one ASA at a time will be carrying the AnyConnect sessions, which is one of the reasons why only one license is required.)

Perhaps there is some small confusion about the AnyConnect Premium and AnyConnect Essentials licenses. You would use one or the other but you can not operate both Premium license and Essentials license on the same ASA. So since you are ordering the Premium license you do not want the Essentials license.

Also note that if you want to support VPN on mobile devices that you will need the Mobility license for the ASAs.

HTH

Rick

HTH

Rick

Richard Burts · ‎11-07-2014

It has been an interesting discussion and I am glad that my suggestions have been helpful. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to recognize that helpful information is here.

HTH

Rick

HTH

Rick

sanju_cisco_1983 · ‎03-01-2017

Hi Rich,

My apologies if it's not OK to add post on a thread that was supposed closed 2 years back. If it is OK, Can I ask another question related to original post? I want to install an upgrade license for number of contexts on a failover pair, running in ACTV/STBY, do I need to reload both boxes one-by-one or can only reloading the Active suffice for the license to take effect on both units?

I do understand that reloading one after the other won't bring any downtime, but I just want to avoid reloading the STBY box if there's not an actual need.

Appreciate your help on this.

Regards,

Sanjeev Nandal

Marvin Rhoads · ‎03-02-2017

Sanjeev,

If you are moving from single context to multiple context mode you will need to reload both units as the entire configuration is erased during this mode transition. That's due to the change of how resources are allocated in the system execution space and config files are then assigned to the contexts.

If you are already in multiple context mode and simply add licenses I believe the reload of the Active unit will suffice. You HA pair (whether running Active-Active or Active-Standby) will have the number of contexts you get when adding those on the Primary and Secondary appliances.

sanju_cisco_1983 · ‎03-03-2017

Thank you sir Marvin. That clears the confusion.

DIEGUE DARCY · ‎01-18-2018

Hello Richard,

Good day. Once the license is installed on the primary ASA, a reboot is required for the new license to take effect. During this process, all traffic will go through the secondary box. Now, my question is, does the secondary ASA required to be restarted as well for the shared license to take effect?

Thanks