Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
822
Views
0
Helpful
3
Replies

APEX/PLUS licenses for my backup ASA

Stanly
Level 1
Level 1

‎12-17-2018 10:51 AM

Hi All,

 

If Im applying Apex or PLUS licenses to my active ASA, is it available across the virtual contexts or for each VC do I need to apply licenses?

 

Also If I have a Active/standby virtual contexts across 2 ASA devices, will the APEX/PLUS  licenses Inherit to the backup Context?

 

Appreciate your responses.

 

Regards

BS

Labels:
0 Helpful
3 Replies 3

Roy Harrington
Cisco Employee
Cisco Employee

‎12-17-2018 03:13 PM - edited ‎12-17-2018 03:21 PM

Hi Stanly,

 

As far as virtual contexts whatever is applied to the main context for licensing is shared across the sub contexts. However some licenses will need to be allocated to sub contexts such as Anyconnect. If you have a 500 user license you will need to allocate how many licenses from that pool can be used in each context.

class gold
  limit-resource Mac-addresses 10000
  limit-resource Conns 15.0%
  limit-resource rate Conns 1000
  limit-resource rate Inspects 500
  limit-resource Hosts 9000
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource rate Syslogs 5000
  limit-resource Xlates 36000
  limit-resource Routes 5000
  limit-resource VPN Other 10
  limit-resource VPN Burst Other 5
  limit-resource VPN AnyConnect 2

the last one specifies how many anyconnect licenses you are assigning to this class, this class "gold" would then need to be assigned to the sub context.For example if your context name was "Cisco" you would go to that context and add "member gold".

In general licenses are based of serial number so the only reason you would need a different licenses is if you had different devices.

 

That brings us to the second part. Your active/standby would need the same encryption license on both devices because the second device will have a different serial number you will need a separate platform license.For Anyconnect there is a way to share your license between multiple devices in your CCO license portal.If you need help distributing an Anyconnect license between devices please feel free to contact Cisco TAC. You can also refer to this guide on licensing under the "Licensing for failover" section.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-failover.pdf

 

Also I wanted to make you aware that if you are using failover in multi context with Anyconnect there are many unsupported features.Please take a look at this link:https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw19758/?reffering_site=dumpcr

Please let me know if this answered your question or if you had any other questions.

0 Helpful

Roy Harrington
Cisco Employee
Cisco Employee

‎12-17-2018 03:27 PM - edited ‎12-18-2018 10:21 AM

 
0 Helpful

Roy Harrington
Cisco Employee
Cisco Employee

‎12-17-2018 03:31 PM - edited ‎12-18-2018 10:20 AM

 
0 Helpful
Customers Also Viewed These Support Documents