Introduction
In many cases, we see that network outages are caused while attempting to upgrade the licenses for FWSMs in failover. This is because failover gets disabled due to "License Mismatch" on both the FWSMs and that affects the traffic going through the FWSM.
Error Message
The following typical error message is seen in the console logs when a license mismatch is detected among the failover peers:
Mate's license (X Contexts) is not compatible with my license (Y Contexts). Failover will be disabled.
In the output of "show failover history", the reason for disabling failover will be "Other unit license is different".
This document aims at explaining the correct steps to be followed while upgrading Licenses in an Active/Standby or Active/Active failover scenario.
Steps to Upgrade
In the following example, I will be upgrading the context license to 250 on the devices. Before upgrading the licenses, please ensure that failover works properly.
Step 1: On the Active device, issue "no failover". This forces the Standby device to be in Pseudo-Standby state, in which it will not pass any traffic. Also, this will prevent the Standby device from trying to become the Active unit when the licenses do not match. If the devices are running in Active/Active failover, run the command "no failover" on the system context. Once you do this, you will see that the Failover is Off on both devices as follows:
On the Active device:
FWSM-Primary(config)# sh fail
Failover Off
Failover unit Primary
Failover LAN Interface: FAIL-LAN Vlan 50 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 50%
Monitored Interfaces 0 of 250 maximum
On the Standby device:
FWSM-Secondary(config)# sh fail
Failover Off (pseudo-Standby)
Failover unit Secondary
Failover LAN Interface: FAIL-LAN Vlan 50 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 50%
Monitored Interfaces 0 of 250 maximum
Step 2: Enter the activation-key on the Primary. Please ensure that this license is for the Primary device's serial number. In the active/active setup, enter the activation key from the system context.
FWSM-Primary(config)# activation-key xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
Once you enter this command, you will see the following:
Licensed features for this platform:
Maximum Interfaces : 1000
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 250
GTP/GPRS : Disabled
BGP Stub : Disabled
VPN Peers : Unlimited
Both running and flash activation keys were updated with the requested key.
Step 3: Use the command "show version" on the Active unit to check the license. You will see "Security Contexts:250" and the activation key will be what you had entered (look for "Running Activation Key" under "show version").
Step 4: Go to the system context of the Standby Unit, and enter the corresponding activation key. Please ensure that this license is for the Standby device's serial number. In the active/active setup, enter the activation key from the system context.
FWSM-Secondary(config)# activation-key yyyyyyyy yyyyyyyy yyyyyyyy yyyyyyyy
Once you enter this command, you will see the following:
Licensed features for this platform:
Maximum Interfaces : 1000
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 250
GTP/GPRS : Disabled
BGP Stub : Disabled
VPN Peers : Unlimited
Both running and flash activation keys were updated with the requested key.
Step 4: Use the command "show version" on the Standby to check the license. You will see "Security Contexts:250" and the activation key will be what you had entered(Look for "Running Activation Key" under "show version").
Step 5: Enable failover on the Active device by issuing the command "failover".In the Active/Active failover setup, enter this command from the system context.
This finishes the license upgrade process.
The following FWSM configuration guides now include the upgrading process as a result of the fix for bug CSCts52674:
4.0 doc
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/swcnfg_f.html#wp1075771
4.1 doc
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/swcnfg_f.html#wp1073958
Note: When an FWSM is replaced, the licenses have to be transferred to the new unit from the old one. After installing the new activation key, you might come across a situation where you see that the licenses don't reflect the actual status-like, say, the number of interfaces may not be what it used to be prior to the replacement. In such cases, please confirm if the module was in multiple context mode earlier. If yes, you will have to convert the new module to multiple context to see the correct licenses.