4-19
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 4 Managing Feature Licenses
Information About Feature Licenses
Failover Licenses
Failover units do not require the same license on each unit. This section includes the following topics:
• Failover License Requirements, page 4-19
• How Failover Licenses Combine, page 4-19
• Loss of Communication Between Failover Units, page 4-20
• Upgrading Failover Pairs, page 4-20
Failover License Requirements
• Failover units do not require the same license on each unit.
Older versions of adaptive security appliance software required that the licenses match on each unit.
Starting with Version 8.3(1), you no longer need to install identical licenses. Typically, you buy a
license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary
license when it becomes active. If you have licenses on both units, they combine into a single
running failover cluster license.
• For the ASA 5505 and 5510 adaptive security appliances, both units require the Security Plus
license; the Base license does not support failover, so you cannot enable failover on a standby unit
that only has the Base license.
How Failover Licenses Combine
For failover pairs, the licenses on each unit are combined into a single running failover cluster license.
For Active/Active failover, the license usage of the two units combined cannot exceed the failover cluster
license.
If you buy separate licenses for the primary and secondary unit, then the combined license uses the
following rules:
• For licenses that have numerical tiers, such as the number of sessions, the values from both the
primary and secondary licenses are combined up to the platform limit. If both licenses in use are
time-based, then the licenses count down simultaneously.
For example, you have two ASA 5520 adaptive security appliances with 500 SSL VPN sessions
each; because the platform limit is 750, the combined license allows 750 SSL VPN sessions.
Note In the above example, if the SSL VPN licenses are time-based, you might want to disable
one of the licenses so you do not “waste” a 500 session license from which you can only use
250 sessions because of the platform limit.
Or you have two ASA 5540 adaptive security appliances, one with 20 contexts and the other with
10 contexts; the combined license allows 30 contexts. For Active/Active failover, for example, one
unit can use 18 contexts and the other unit can use 12 contexts, for a total of 30; the combined usage
cannot exceed the failover cluster license.
• For licenses that have a status of enabled or disabled, then the license with the enabled status is used.
• For time-based licenses that are enabled or disabled (and do not have numerical tiers), the duration
is the combined duration of both licenses. The primary unit counts down its license first, and when
it expires, the secondary unit starts counting down its license. This rule also applies to Active/Active
failover, even though both units are actively operating.
To Next Page
Loading...
Need help?
General
