03-15-2019 05:13 PM - edited 02-21-2020 08:57 AM
hi,
i got a pair of ASA 5520 that i want to enable HA-active/standby. since ASA 8.2 requires both units to have identical licenses, i'm unable to enable HA due to anyconnect essentials license not enabled on the primary/active unit.
is there any way to disable or remove the anyconnect essentials on the standby unit in order to have failover/HA? factory reset?
ciscoasa(config)# Mate's license (AnyConnect Essentials Disabled) is not compatible with my license (AnyConnect Essentials Enabled). Failover will be disabled.
ciscoasa(config)# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 28 days 10 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is f866.f2b1.491e, irq 9
1: Ext: GigabitEthernet0/1 : address is f866.f2b1.491f, irq 9
2: Ext: GigabitEthernet0/2 : address is f866.f2b1.4920, irq 9
3: Ext: GigabitEthernet0/3 : address is f866.f2b1.4921, irq 9
4: Ext: Management0/0 : address is f866.f2b1.4922, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Solved! Go to Solution.
03-16-2019 05:21 AM
You have the default 2 SSL VPN licenses, nothing additional:
SSL VPN Peers : 2
You cannot remove those.
03-15-2019 05:30 PM
Cisco Adaptive Security Appliance Software Version 8.2(5)
Above code is too old and no support as per i know, why not take this apportunity and upgrae to latest stable. so you have good support.
03-15-2019 06:55 PM
hi,
HW upgrade is not an option for now due to budget constraint and this is in a very remote location (not a priority). that's why an alternative was to temporarily enable HA while waiting for resource/budget approval.
03-15-2019 08:57 PM
As far as I know you cannot "remove" the activation key per se. If you do a complete factory reset it will effectively do it but your would need console access to rebuild your configuration from scratch.
If you can upgrade the software to 8.3+ you can form an HA pair without the same licensing on each unit.
The recommended version for an ASA 5520 would be 9.1(7)32: https://software.cisco.com/download/home/279916878/type/280775065/release/9.1.7%20Interim
03-15-2019 09:05 PM
hi marvin,
thanks for confirming my thought of doing a factory reset.
will try to do it. have a great weekend!
03-15-2019 09:11 PM - edited 03-15-2019 09:23 PM
hi marvin,
i just did a factory reset both using 'config factory-default' and 'write erase' and 'reload' but the anyconnect essentials license is still there. any thoughts?
(config)# config factory-default
Based on the management IP address and mask, the DHCP address
pool size is reduced to 253 from the platform limit 256
WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.
Begin to apply factory-default configuration:
Clear all configuration
Executing command: interface management0/0
Executing command: nameif management
INFO: Security level for "management" set to 0 by default.
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command: security-level 100
Executing command: no shutdown
Executing command: exit
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 management
Executing command: dhcpd address 192.168.1.2-192.168.1.254 management
Executing command: dhcpd enable management
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa(config)#
ciscoasa(config)# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 29 days 12 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is f866.f2b1.491e, irq 9
1: Ext: GigabitEthernet0/1 : address is f866.f2b1.491f, irq 9
2: Ext: GigabitEthernet0/2 : address is f866.f2b1.4920, irq 9
3: Ext: GigabitEthernet0/3 : address is f866.f2b1.4921, irq 9
4: Ext: Management0/0 : address is f866.f2b1.4922, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1619X123
Running Activation Key: 0x291bff73 0xa43798a6 0xb9809d80 0xfce4a060 0x4418c123
Configuration register is 0x1
Configuration last modified by enable_15 at 09:07:47.052 UTC Sat Mar 16 2019
ciscoasa(config)# wr er
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa(config)# reload
System config has been modified. Save? [Y]es/[N]o:
Proceed with reload? [confirm]
ciscoasa(config)#
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
03-16-2019 05:21 AM
You have the default 2 SSL VPN licenses, nothing additional:
SSL VPN Peers : 2
You cannot remove those.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide