Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
15
Helpful
6
Replies

ASA 5510 - SSL VPN Shared License in Active/Standby

mlbriseno
Level 1
Level 1

‎10-05-2012 09:33 AM

Hi,

I recently picked up two ASA5510s (ASA5510-SSL50-K9 & ASA5510-SEC-BUN-K) with intentions of creating an Active/Standy configuration. I'm receiving the error message "Mates' license (2 SSL VPN Peers) is not compatible with my license (50 SSL VPN Peers)", but I was under the impression that I didn't have to buy idential SSL VPN licenses post 8.2 in an Active/Standby configuration.

So the question is; am I missing a step that enables the license transfer(sharing?) feature to work correctly before the failover will build correctly?

Thank you.

Labels:
0 Helpful
6 Replies 6

kcnajaf
Level 7
Level 7

‎10-05-2012 09:43 AM

Hi Michael,

I not an expert in ASA :-( But as far as i know you need to have the same number of VPN licences on both boxes for ASA to form fail over pairs.

Hope this helps.

Regards

Najaf

CCIE (R&S) 25070

Javier Portuguez
Level 9
Level 9
In response to kcnajaf

‎10-05-2012 10:17 AM

Hi Najaj,

A failover pair with 8.2 requires both ASA's to have the same licenses.

Failover and Temporary Licenses

With failover, identical licenses are required. For failover purposes, temporary and permanent licenses appear to be identical, so you can have a permanent license on one unit and a temporary license on the other unit. This functionality is useful in an emergency situation; for example, if one of your units fails, and you have an extra unit, you can install the extra unit while the other one is repaired. If you do not normally use the extra unit for SSL VPN, then a VPN Flex license is a perfect solution while the other unit is being repaired.

Because the temporary license continues to count down for as long as it is activated on a failover unit, we do not recommend using a temporary license in a permanent failover installation; when the temporary license expires, failover will no longer work.

However, it is not the same case since 8.3.1 and later:

Failover Licenses (8.3(1) and Later)

In Version 8.3(1) and later, failover units do not require the same license on each unit. For earlier versions, see the licensing document for your version.

Please let me know if you have any further questions, otherwise please mark this post as answered.

Thanks.

Portu

kcnajaf
Level 7
Level 7
In response to Javier Portuguez

‎10-05-2012 10:25 AM

Hi Portu,

Thanks a lot for your responce. Unfortunatly i'm not the one who posted this question and hence i can not mark your responce as answered:-(

Sorry for that....

Regards

Najaf

CCIE (R&S) 25070

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to kcnajaf

‎10-05-2012 11:18 AM

Hahahaha! Sorry for that, it was my mistake, I meant Michael

Anyway, your answer was fine, so I just gave you 5 stars

Lets wait for Michael to review the post then.

Portu.

0 Helpful

mlbriseno
Level 1
Level 1
In response to kcnajaf

‎10-05-2012 12:05 PM

Is there a method of 'updating' licenses? It appears I'm running 8.2(5). These licenses (and ASAs) were purchased approximately 2 weeks ago. Do they not generally ship with the latest? Does it require a different SKU?

Thank you,

Michael

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to mlbriseno

‎10-05-2012 04:09 PM

Hi Michael,

I would recommend to you to check with your partner reseller.

If you do not want to run into this situation, you may consider an upgrade to 8.4.

Thanks.

Portu.

Please rate any helpful posts.

0 Helpful
Customers Also Viewed These Support Documents