Question re: failover licensing on 5510 8.0(4)

mat_rouch · ‎04-27-2012

We have a set of ASA5510s configured as an active/standby HA pair. THey show the following licenses:

Primary unit:

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs                : 100
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 250
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has an ASA 5510 Security Plus license.

secondary unit:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs                : 100
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 250
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has an ASA 5510 Security Plus license.

My question is - is it possible to separate the failover pair and run each ASA as a standalone unit for a period of time, then reinstate the HA pair?

Thanks,

-Mathew

mvsheik123 · ‎04-27-2012

Hi Mathew,

When you seperate the HA pair, they try to share the same address (configured failover address) and you may have conflict on the network. One way is to shut the Standby unit , remove from network and change the IPs, it might work for you. When you place it back, reinstate the old state (as secondary) with basic config. It will detect Active unit online and becomes Standby.

Thx

MS

mat_rouch · ‎05-01-2012

Thanks for the reply.

Yes, the ip conflict part makes sense. That should not apply here (see below.) I am more concerned with whether there are any licensing issues involved in doing this. The goal is to separate the HA pair and run them as completely independent firewalls temporarily during a large migration project. They would not be connected to any common LAN segments during the migration and would have different IPs. Then once the migration is complete we wipe the ASA connected to the "old" networks, connect it to the "new" networks and reinstate the HA pair, using the wiped ASA as the standby unit.

From what I can see, both ASAs in ah HA pair have identical licenses in v8.x, so the ASAs should not care whether they are configured as standalone or failover units. I just want to make sure there are no gotchas in doing this.

Thanks,

-Mathew

Marvin Rhoads · ‎05-01-2012

You shouldn't have any licensing problems doing what you describe as long as your new configuration on the split-off ASA doesn't exceed any of the numeric limits in your output above.

Cody Lo · ‎11-11-2012

I'm in a similar situation, we currently having a pair of 5510 running in single failover mode, we would like to split them up and add security context license to the 2 separate boxes and mice one of the unit to another site. I'm planning on how to do the initial split. Should I just power off the secondary unit and take it off line then reinstate the configuration so it can run as an independent firewall? And for the active unit, I will remove the failover commands as well so it will become standalone again.

Marvin Rhoads · ‎11-11-2012

Cody, your plan should cover it.