02-06-2012 06:20 AM - edited 03-11-2019 03:24 PM
Hi out there
We are going to deploy a active/active setup of 2 ASA 5585's. Here we will implement a concept of security zones through context's where different services will be firewalled through a seperate firewall context. Now my question - will a security context consume 1 or 2 licenses because we are running in a Active/active setup? Right now I got completely confused when my manager asked me that question...
I would say that we only use on security context license - but since we are running in a active/active setup - even though the other instance is standby - will it consume a context license? We are using ASA OS 8.4.x
best regards /ti
Solved! Go to Solution.
02-09-2012 04:12 PM
Some additional clarification - context licenses CAN be distributed among cluster members. However, each configured context - whether Active or Standby - takes up a context license. The examples I got were as follows:
So if one firewall has 5 active and 15 standby, and the other has 15 active and 5 standby, then you will have to have 40 total context licenses in the cluster license. With the 8.3+ cluster license, though you can have more configured contexts on one firewall than it has local licensing, the total number of configured contexts on both firewalls can not exceed the cluster license. So if you've got 12 configured contexts on one and 18 on the other, you must have 30 total context licenses between the two even if one may only have a 10 context license.
Hope this helps!
02-06-2012 06:46 AM
Context licenses are not shared. Each device in the cluster must have its own context licenses.
Also note that if you are wanting to use any shared feature licenses, that is incompatible with an Active-Active cluster. Reference.
02-06-2012 07:07 AM
Hi Marvin
Are you sure ? on the same page it is stated that:
–You have two ASA 5540 ASAs, one with 20 contexts and the other with 10 contexts; the combined license allows 30 contexts. For Active/Active failover, one unit can use 18 contexts and the other unit can use 12 contexts, for example, for a total of 30; the combined usage cannot exceed the failover cluster license (in this case, 30).
•For licenses that have a status of enabled or disabled, then the license with the enabled status is used.
•For time-based licenses that are enabled or disabled (and do not have numerical tiers), the duration is the combined duration of both licenses. The primary unit counts down its license first, and when it expires, the secondary unit starts counting down its license. This rule also applies to Active/Active failover, even though both units are actively operating.
02-06-2012 07:39 AM
Thanks for pointing out the additional information. It is pretty confusing.
I may have misspoke in saying they are not shared as they apparently can be divided across that active-active pair. I'm not entirely clear about all the implications of that.
I'm going to go back to the drawing board and consult with my contacts at Cisco on this particular question prior to muddying the waters further.
02-09-2012 04:12 PM
Some additional clarification - context licenses CAN be distributed among cluster members. However, each configured context - whether Active or Standby - takes up a context license. The examples I got were as follows:
So if one firewall has 5 active and 15 standby, and the other has 15 active and 5 standby, then you will have to have 40 total context licenses in the cluster license. With the 8.3+ cluster license, though you can have more configured contexts on one firewall than it has local licensing, the total number of configured contexts on both firewalls can not exceed the cluster license. So if you've got 12 configured contexts on one and 18 on the other, you must have 30 total context licenses between the two even if one may only have a 10 context license.
Hope this helps!
02-09-2012 11:32 PM
hi again
yes thanks for the reply - this is also what I have concluded - I just shortly got a bit confused by the term "active/active" - we have only been running in a active/standby-setup until now
best regards /ti
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide