Re: Security Context License on Secondary/Standby ASA

johnlloyd_13 · ‎05-18-2021

hi,

i got an active-standby pair of ASA 5555-X in multi context mode. we'll migrate to a new DC and plan is to remove and use the primary/active unit to the new DC and leave the secondary/standby running in the current DC to lessen the outage.

the 100 context license was only applied to the primary FW and it's being shared with the secondary.

my question is, will the context license on the secondary unit will not expire/still perpetual and run as normal? we'll eventually move the secondary FW and bring it to the new DC once all the colo stuff is ready.

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 500 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 100 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual

This platform has an ASA5555 VPN Premium license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 500 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 100 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual

This platform has an ASA5555 VPN Premium license.

balaji.bandi · ‎05-18-2021

Multi-Context means (Active / Active ) - in the way Active / Standy by the Groups.

Then Only Secondary will take all the Active roles, you should be good until you move to Primary to new DC and join them back.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

johnlloyd_13 · ‎05-18-2021

hi balaji,

thanks for the info! do you have a cisco link to support this?

the pair will be disjoined for a few months while migrating to the new DC.

Marvin Rhoads · ‎05-18-2021

It will be retained when separated from the primary unit. There is a time limit on that though - If the units lose communication for more than 30 days, then each unit reverts to the license installed locally. During the 30-day grace period, the combined running license continues to be used by all units.

Reference:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/general/asa-914-general-config/intro-license.html#ID-2148-00000aaf

johnlloyd_13 · ‎05-18-2021

hi marvin,

the link mentioned ASA time-based license, i.e. botnet, but none was mentioned for permanent/perpetual licenses.

does the 30-day grace period includes 'shared' permanent license, i.e. multiple/security context license?

Marvin Rhoads · ‎05-18-2021

My (very old - 2013) notes on this indicate that it also applies to context licenses. That was as of 8.3; but I don't think the way it works has changed since then.

johnlloyd_13 · ‎05-18-2021

thanks marvin!

i'll just re-confirm this with TAC.