But it is subscription only?

seth · ‎12-19-2016

Hello all,
We currently have in place an ASA 5510, 8.2(3)
It has the Security Plus License on it, so it supports:
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 250
Total VPN Peers                : 250
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5510 Security Plus license.

Now we purchased another ASA 5510 to put it in as a Failover unit.
It is running 9.1(4)
It says it also has the Security Plus license, this it what it supports:
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5510 Security Plus license.

But when I setup FailOver on the two units, it balks.....
I don't think the different versions would cause it to have problems, would it?
It seems to be balking over the SSL VPNs, the 8.2(3) ASA supports 250 SSL VPNs
While the 9.1(4) only supports 2
So if we get the correct license, then Failover will work?
I think this license: ASA5510-BUN-K9

Richard Burts · ‎12-19-2016

Your older ASA appears to have the AnyConnect Premium license and your new ASA does not have this license. I was not sure that this would prevent failover from working. But if it is complaining about SSL VPN then it looks like this might be the issue.

HTH

Rick

HTH

Rick

seth · ‎12-19-2016

This is what shows up when I do the config

************WARNING****WARNING****WARNING********************************

Mate version 9.1(4) is not identical with ours 8.2(3)

************WARNING****WARNING****WARNING*********************************

Mate's license (2 SSL VPN Peers) is not compatible with my license (250 SSL VPN

Peers). Failover will be disabled.

So it seems it is the 2 SSL VPN peers on the 9.1(4) vs the 250 on the 8.2(3)

So which license would I need to get on the 9.1(4) ASA to allow for the 250 SSL VPNs?

Richard Burts · ‎12-19-2016

Thanks for the additional information. I believe that this is showing that two problems impact the implementation of failover. I believe that you will need to upgrade the version of the older ASA to get failover to work.

But the immediate question is about the license for AnyConnect. And this becomes a very interesting question. Since the older ASA seems to have the Premium license one answer would be to purchase the Premium license for the new ASA. But Cisco has changed the licensing for AnyConnect. The new AnyConnect licenses are Plus (similar to the Essentials license) and Apex (similar to the Premium license). And one of the interesting things about the new licenses is that when you buy the new license that you can apply it to multiple ASAs. So my suggestion is that you get a new Apex license and apply it to both of the ASAs.

HTH

Rick

HTH

Rick

seth · ‎12-19-2016

Ok,
Thank you for the information.
What is pricing for the Apex License?

Also, is there any place you know of that says one way or the other if the differing IOS versions will cause Failover to not work?

Reza Sharifi · ‎12-19-2016

Hi,

The APEX (Anyconnect) list price is $40 per unit. So, it depend on your discount. talk to your Cisco sales guy or your re-seller. Whatever you standard discount is, it will apply to this as well.

HTH

seth · ‎12-19-2016

But it is subscription only?

Reza Sharifi · ‎12-19-2016

I don't think so. The quote i have does not say anything about subscription only.

BTW, here is the part number:

L-AC-APX-5Y-S1

HTH

seth · ‎12-19-2016

Ok, thank you
I will look it up.

Reza Sharifi · ‎12-19-2016

I think the 5Y is for 5 years.

Could be. Cisco makes things complicated every time they come up with a new revision of a hardware. They really make life difficult for people.

Good Luck!

seth · ‎12-19-2016

Tell me about it.
Trying to figure out their licenses is like trying to learn another language.

seth · ‎12-19-2016

I think the 5Y is for 5 years.

seth · ‎12-19-2016

Also seems that the new license is only subscription based.....
Is that correct?

ASA 5510 and Security Plus License