Licensing -Security Contexts on ASA5585-X

Pratibha Bhasin · ‎02-25-2013

All,

I have a customer with 2 ASA 5585-X and they are looking at running a total of 20 Security contexts in failover mode on these two firewalls. From a licensing perspective, Can I get 10 security contexts on each of these firewalls and that gives me a cumulative context number of 20.I am not sure though if I will be able to run all 20 contexts in failover mode on both firewalls.

This is the document I am reading but not very clear.

http://www.cisco.com/en/US/docs/security/asa/asa90/license/license_management/license.html#wp1345944

Thanks

Jouni Forss · ‎02-25-2013

Hi,

If you want to split the 20 Security Contexts between 2 differents ASAs then you are looking at configuring a Active/Active Failover environment.

If you want all Security Contexts to be Active only on one physical ASA at a time (while the other is there to take over when the main one fails) then you are looking at configuring a Active/Standby Failover enviroment.

So in other words

Each units 10 Security Context license will be combined between the units
You can either use 20 Security Contexs on a single physical unit at a time in Active/Standby
OR you can divide the 20 Security Contexts between the 2 Physical ASAs in Active/Active
- For example 10 Active in ASA1 and 10 Active in ASA2

Also heres a partial quote from the Cisco document

Failover License Requirements and Exceptions

Failover units do not require the same license on each unit.

Older versions of ASA software required that the licenses match on each unit. Starting with Version 8.3(1), you no longer need to install identical licenses. Typically, you buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active. If you have licenses on both units, they combine into a single running failover cluster license.

How Failover or ASA Cluster Licenses Combine

For failover pairs or ASA clusters, the licenses on each unit are combined into a single running cluster license. If you buy separate licenses for each unit, then the combined license uses the following rules:

For example, for failover:

You have two ASA 5540 ASAs, one with 20 contexts and the other with 10 contexts; the combined license allows 30 contexts. For Active/Active failover, the contexts are divided between the two units. One unit can use 18 contexts and the other unit can use 12 contexts, for example, for a total of 30.

- Jouni

Pratibha Bhasin · ‎02-25-2013

Hi Jouni,

Thanks for your reply.

What if you are trying to do some contexts Active on one firewall and standby on the second one.

eg- if I have 4 contexts - c1, c2,c3 and c4

FW1 -- C1 and C2 (active)

c3 and c4 (failover)

FW2 - c1 and c2 (failover)

c3 and c4 (active)

So in this scenario, technically do I need (4) context licenses on each of these firewalls to work ? or just a total of 4.

Appreciate your help

Jouni Forss · ‎02-25-2013

Hi,

What you are talking about is Active/Active Failover. A failover setup what utilises both ASA devices.

Basically what controls where the Security Contexts are Active is the Failover Group configuration. You always configure 2 Failover Groups. Each have their own ASA set as Active firewall unit. Then you will just assign each Security Contexts to the Failover Group you want them to be in. This will let you define the Active roles of each device in the way you mentioned above.

To be able to have a total of 4 Security Contexts in a Failover pair you just need a combined license that amounts to total of 4 Security Contexts. Actually the ASAs default to having 2 Security Contexts (most models) so when 2 ASA units are combined in Failover it actually has (atleast) 4 Security Contexts.

Hopefully the information has been helpfull

- Jouni