07-11-2012 06:53 AM
Hello,
I have 2 5510 ASA's and I'm in a pinch with needing a failover ASA to put in. I have a testing ASA I need to put in as a standby firewall in an Active/Standby scenario but this ASA has a 10 user SSL VPN license applied. My primary ASA that I'm setting this up with only has the standard 2 user and the HA config wizard fails when I'm running through it. The message I get is "License compatibility test for number of clientless SSL VPN peers failed." How can I deactivate the 10 user license on my testing unit so I can bring it in as a failover?
Both ASA's have a SecPlus license.
Thanks for any help,
Brett
Solved! Go to Solution.
07-11-2012 07:19 AM
Keep your current activation key so you can reapply after your testing, and request for a new activation key from licensing@cisco.com without the SSL VPN license to perform your failover test.
07-11-2012 07:19 AM
Keep your current activation key so you can reapply after your testing, and request for a new activation key from licensing@cisco.com without the SSL VPN license to perform your failover test.
07-11-2012 07:39 AM
In your scenario it is best to upgrade your ASAs to a version of 8.3+
There both ASAs don't need to have the same licenses. Instead the licenses of both ASAs are counted together. The downside of this solution is that you probably need more RAM. But in the end it could be cheaper then buying SSL-licenses for both ASAs.
07-11-2012 09:23 AM
Karsten, I would upgrade to 8.3 but I've experienced problems with this last week when trying to upgrade, already. After upgrading to some flavor of 8.4 (8.4.3 I think) SMTP would no longer pass through the ASA. Without going in to crazy details about it all, I dropped back to another ASA we have that I was waiting to deploy for other functions, and to the same IOS rev of 8.2.2 before I upgraded with a backup of my config. The testing ASA has been sitting around to play with SSL and other functions and now the boss wants failover active so my test ASA goes away. So my test ASA is now going to be a FO until I can get my original primary back online w an upgraded IOS testing everything first, and what's now my running ASA becomes the failover...and then I get my test ASA back and can put the SSL VPN key back on it. Yes, a whirlwind of sorts.
I used Jennifer's recommendation and have contacted Cisco licensing for a new activation key and am waiting for them to get back to me.
Thank you both for your help,
Brett
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide