Solved: What license do I need for 25 SSL VPN Peers

simo.radjenovic.wd · ‎08-20-2012

Hi all,

I want to implement Active/Standby cluster with a pair of 5550 ASAs and I have a licensing question. Here is the "sh activation-key detail" output from both devices...

ASA1:

sh activation-key detail:

Serial Number: XXXXX

No active temporary key.

Running Activation Key: XXXXX XXXXX XXXXX XXXXX XXXXX

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 250

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

SSL VPN Peers : 2

Total VPN Peers : 5000

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has an ASA 5550 VPN Premium license.

The flash activation key is the SAME as the running key.

ASA2:

sh activation-key detail:

Serial Number: XXXXX

No active temporary key.

Running Activation Key: XXXXX XXXXX XXXXX XXXXX XXXXX

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 250

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

SSL VPN Peers : 25

Total VPN Peers : 5000

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has an ASA 5550 VPN Premium license.

The flash activation key is the SAME as the running key.

--------------------------------------------------------------

So it looks obvious that I'll have to upgrade the first ASA to support 25 SSL VPN Peers in order to build HA cluster, right?

Now I want to know do I need the "ASA5505-SSL25-K9" license or something else.

Thanks much in advance for any help!

Marvin Rhoads · ‎08-21-2012

Ah OK I see - right then: upgading the cluster will allow the license to be shared.

Re the target version, I would recommend going straight to 8.4(4.1). I've deployed this at several sites without issue.

View solution in original post

stubinski · ‎08-20-2012

Hi,

What version of IOS are you running on each ASA?

Reference to licensing ASA's for failover, ver 8.4:

http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license.html#wp1487973

Hope this helps

simo.radjenovic.wd · ‎08-21-2012

Hi,

thanks for answer, we are using 8.2(5)26.

The ASA has 406 RAM, so I think that best solution would be to upgrade it to 8.3 version. Since it is highly productive system we are not yet ready for 8.4.

Cheers

Karsten Iwen · ‎08-20-2012

If you are running <= v8.2 and you can't upgrade to v8.3 or higher, then you need to buy the license for 25 SSL-VPNs as both units need to have the same licensing. This restriction was removed with v8.3 and from that version onwards the licenses of both units are combined by the FO-pair.

And don't forget the AnyConnect-mobile license if you plan to use the AnyConnect-Client on iPad, iPhone and so on.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

simo.radjenovic.wd · ‎08-21-2012

Thanks for reply,

I'll try that, to upgrade to 8.3 version both nodes, and we'll see what will happen. As I said 4GB RAM should be enough.

Funny how licensing model works, because ASA1 is older than ASA2. Although they are the same models 5550 and running the same software versions (8.2(5)26). They both have built in VPN Premium license, and yet newer ASA2 has 25 SSL VPN Peers.

Cheers

Marvin Rhoads · ‎08-20-2012

As noted, upgrade to 8.3 or later first (if not already there).

Then purchase and install (activate) a single L-ASA-SSL-25.

Karsten Iwen · ‎08-21-2012

Then purchase and install (activate) a single L-ASA-SSL-25.

He already has a 25-license on the second ASA. So he just needs to upgrade to a version >8.2 ... I think all the 5550 are having enough memory for v8.4 (nut really sure on that). So there shouldn't be a memory-upgrade involved.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Marvin Rhoads · ‎08-21-2012

Ah OK I see - right then: upgading the cluster will allow the license to be shared.

Re the target version, I would recommend going straight to 8.4(4.1). I've deployed this at several sites without issue.

simo.radjenovic.wd · ‎08-22-2012

Hi all,

as I said I tried to upgrade the ASA1 to version 8.3, but unfortunately the limit of 2 SSL VPN Peers remained.

It seems so that I’ll have to buy that license, although I don’t need that functionality. If someone has some more hints left, I’d be grateful to hear them.

Here is the output from “sh activation-key detail” and below the output from “sh ver”:

----------------------------------------------------------------

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 250 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

SSL VPN Peers : 2 perpetual

Total VPN Peers : 5000 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

AnyConnect Essentials : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5550 VPN Premium license.

Licensed permanent key features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 250 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

SSL VPN Peers : 2 perpetual

Total VPN Peers : 5000 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

AnyConnect Essentials : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

The flash permanent activation key is the SAME as the running permanent key.

----------------------------------------------------------------

Cisco Adaptive Security Appliance Software Version 8.3(2)

Device Manager Version 6.4(7)

Compiled on Fri 30-Jul-10 17:49 by builders

System image file is "disk0:/asa832-k8.bin"

Config file at boot was "startup-config"

xxxxx up 12 mins 33 secs

Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Thanks,

Simo

Marvin Rhoads · ‎08-22-2012

Is your cluster operating normally? ("show failover")

simo.radjenovic.wd · ‎08-23-2012

Well, the point is that you can't start cluster if all necessary conditions are fulfilled (identical hardware, memory, licenses).

ASA checks all those conditions after entering “failover” command. If any of those conditions are not met, you’ll get an error message with an explanation.

I’ll order a single license for 25 SSL VPN Peers (“L-ASA-SSL-25”), and try with it to bring the cluster online.

Cheers,

Simo

simo.radjenovic.wd · ‎08-24-2012

Hi all,

I was able to bring two ASAs (ASA1 and ASA2) in FA mode without upgrading license on first ASA1 to 25 SSL VPN Peers. The “failover” command didn’t complain, about the not equal number of SSL VPN Peers on ASA1.

Obviously it is not necessary to have the same SSL VPN Peer license when building a cluster (or total number of licenses will be = ASA1 + ASA2, which is 27 in my case).

The interesting thing, is that active (ASA1) shows:

sh ver:

Licensed features for this platform:

(output truncated)

SSL VPN Peers : 2 perpetual

(output truncated)

Failover cluster licensed features for this platform:

(output truncated)

SSL VPN Peers : 27 perpetual

(output truncated)

and standby (ASA2) shows:

Licensed features for this platform:

(output truncated)

SSL VPN Peers : 2 perpetual

(output truncated)

Failover cluster licensed features for this platform:

(output truncated)

SSL VPN Peers : 27 perpetual

(output truncated)

I hope it helps. Thank you all for your time and your comments.

Cheers,

Simo

Marvin Rhoads · ‎08-24-2012

You're welcome.

That's what I expected and why I asked if you had tried to activate the cluster. 8.3 and later versions do not require the same premium feature licenses as a prerequisite due to the sharing feature introduced in that release.

Please mark your question as answered and rate the posts if you find them helpful.