Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6758
Views
0
Helpful
17
Replies

ASA licensing for HA for 5516-x

Go to solution
LikesEmail15764
Level 1
Level 1

‎11-24-2020 08:07 AM

Hello everyone.  Im new here, so I hope to be able to do this correctly.  I have two Cisco 5516-x ASAs that I was told need to be setup in HA mode.  I was looking at the licensing, and Im trying to determine if I can do HA with these two with what is currently on there.  My understanding, from what I think I see, is that I can do an active/active setup, but Im not certain that this is what it means.  Can someone verify with me that I can do an HA setup with what this below shows?  And if I wanted to do active/standby, what would I need to purchase to make that happen?  Thank you guys in advance for the help.

 

5516# sh ver

Cisco Adaptive Security Appliance Software Version 9.8(4)15
Firepower Extensible Operating System Version 2.2(2.121)
Device Manager Version 7.13(1)

Compiled on Thu 14-Nov-19 07:41 PST by builders
System image file is "disk0:/asa984-15-lfbff-k8.SPA"
Config file at boot was "startup-config"


Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is xxxxxxxxxx, irq 255
2: Ext: GigabitEthernet1/2 : address is xxxxxxxxxx, irq 255
3: Ext: GigabitEthernet1/3 : address is xxxxxxxxxx, irq 255
4: Ext: GigabitEthernet1/4 : address is xxxxxxxxxx, irq 255
5: Ext: GigabitEthernet1/5 : address is xxxxxxxxxx, irq 255
6: Ext: GigabitEthernet1/6 : address is xxxxxxxxxx, irq 255
7: Ext: GigabitEthernet1/7 : address is xxxxxxxxxx, irq 255
8: Ext: GigabitEthernet1/8 : address is xxxxxxxxxx, irq 255
9: Int: Internal-Data1/1 : address is xxxxxxxxxx, irq 255
10: Int: Internal-Data1/2 : address is xxxxxxxxxx, irq 0
11: Int: Internal-Control1/1 : address is xxxxxxxxxx, irq 0
12: Int: Internal-Data1/3 : address is xxxxxxxxxx, irq 0
13: Ext: Management1/1 : address is xxxxxxxxxx, irq 0
14: Int: Internal-Data1/4 : address is xxxxxxxxxx, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 300 perpetual
Total VPN Peers : 300 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
VPN Load Balancing : Enabled perpetual

Serial Number: XXXXXXXXX
Running Permanent Activation Key:
Configuration register is 0x1
Image type : Release
Key Version : A
Configuration has not been modified since last system restart.

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-24-2020 08:49 AM

yes you can do cluster 2 device - with 2 Contexts default.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to LikesEmail15764

‎11-24-2020 11:20 AM

Your device is already licensed to do both active/active or active/standby, so you don't need any additional licenses to perform an active/standby failover.

View solution in original post

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to LikesEmail15764

‎11-25-2020 04:23 AM

You welcome. That's right, having the active/active license would mean the device is licensed for multi-contexts. However, if you have 0 multi-contexts licenses, you device would show active/standby next to the Failover on the show version. In that case, your device can only do active/standby failover, but not active/active.

View solution in original post

0 Helpful
17 Replies 17

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-24-2020 08:21 AM

As per below output - you have only 2 context License. - you can do 2 context on this HA.

 

Security Contexts : 2 perpetual

Cluster : Enabled perpetual
Cluster Members : 2 perpetual

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
LikesEmail15764
Level 1
Level 1
In response to balaji.bandi

‎11-24-2020 08:44 AM

Thank you. Does that mean I can do two physical boxes also?
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-24-2020 08:49 AM

yes you can do cluster 2 device - with 2 Contexts default.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
LikesEmail15764
Level 1
Level 1
In response to balaji.bandi

‎11-24-2020 09:11 AM

Thank you for your help.
0 Helpful

Go to solution
LikesEmail15764
Level 1
Level 1
In response to LikesEmail15764

‎11-24-2020 10:35 AM

Do you know what license it would take to be able to do active/standby?  I think I would prefer doing that if possible.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to LikesEmail15764

‎11-24-2020 11:20 AM

Your device is already licensed to do both active/active or active/standby, so you don't need any additional licenses to perform an active/standby failover.

0 Helpful

Go to solution
LikesEmail15764
Level 1
Level 1
In response to Aref Alsouqi

‎11-24-2020 12:36 PM

Thank you. I did not know it would do active/ standby also. Is that
because it can do active/ active that it can also do active/ standby?
0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to LikesEmail15764

‎11-25-2020 04:23 AM

You welcome. That's right, having the active/active license would mean the device is licensed for multi-contexts. However, if you have 0 multi-contexts licenses, you device would show active/standby next to the Failover on the show version. In that case, your device can only do active/standby failover, but not active/active.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to LikesEmail15764

‎11-24-2020 11:50 AM

You do not need extra license you already have it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
jiripijacek
Level 1
Level 1

‎09-08-2021 12:17 AM

i have the question:

i have 2 asa 5508 in HA active/active

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 100 perpetual
Total VPN Peers : 100 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 320 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
VPN Load Balancing : Enabled perpetual


Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 8 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 100 perpetual
Total VPN Peers : 100 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 320 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
VPN Load Balancing : Enabled perpetual

 

but in context i have AnyConnect Premium Peers :0

and i want to make anyconnect  but debug tell me: Session terminated, no AnyConnect Apex license available

i hope the context inherit the licences. any idea? thank you

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to jiripijacek

‎09-08-2021 12:31 AM

Hi @jiripijacek,

When using multi-context, you need to allow usage of VPN whithin a context. For this purpose, you normally create new class, defining restrictions, something like:

class ClassMyContext1
 limit-resource ASDM 5
 limit-resource Telnet 5
 limit-resource Mac-addresses 65535
 limit-resource SSH 5
 limit-resource VPN Other 20
limit-resource VPN AnyConnect 100

After this, you need to add this class to required context:

context MyContext1
 member ClassMyContext1
 allocate-interface Port-channel1.11-Port-channel1.12
 allocate-interface Port-channel1.19
 storage-url private disk0:/MyContext1Disk
 config-url disk0:/MyContext1.cfg

If configuring AnyConnect, you would want to add command 'storage-url private disk0:/MyContext1Disk', as this would create visible disk for your context, where you need to add AnyConnect software and profiles.

BR,

Milos

0 Helpful

Go to solution
jiripijacek
Level 1
Level 1
In response to Milos_Jovanovic

‎09-08-2021 01:42 AM

xxxx-fw-1(config-class)# limit-resource VPN anyConnect 100
ERROR: Cannot set the limit. Total resources required is 200 which exceeds the system capacity of 100

0 Helpful

Go to solution
jiripijacek
Level 1
Level 1
In response to jiripijacek

‎09-08-2021 04:51 AM

should i switch to anyconnect-essentials?

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# anyconnect-essentials

 

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to jiripijacek

‎09-08-2021 06:16 AM

I didn't pay attention - you have only 8 AnyCOnnect Premium Peers license. For AnyConnect in multi-context mode, you need to have AnyConnect Apex licenses, which is why you can't switch to AnyConnect Essentials (for which you don't have licenses at all).

Try with 'xxxx-fw-1(config-class)# limit-resource VPN anyConnect 8'

BR,

Milos

0 Helpful
Customers Also Viewed These Support Documents