I twittered earlier today about what licenses are required for failover in Cisco ASA Version 8.3. Foolishly I didn’t take the time to check the documentation (Thanks to Andy @Sholomon who replied) (( In my defence, I’d like to point out that Cisco documentation hasn’t been well maintained lately and that’s why I have tended to not look there first. That and Cisco hasn’t been good about clearly documenting licensing over the last ten years. That’s my excuse and I’m sticking to it ))
From the Managing Feature Licenses for Cisco ASA 5500 Version 8.3 documentation.:
Failover License Requirements
Failover units do not require the same license on each unit.
Older versions of adaptive security appliance software required that the licenses match on each unit. Starting with Version 8.3(1), you no longer need to install identical licenses. Typically, you buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active. If you have licenses on both units, they combine into a single running failover cluster license.
So from reading this I conclude the following for Version 8.3 :
- If I am designing for Active / Standby I need only one Context Feature license. The standby unit does not need a Security Context license
- If you are designing for Active / Active then you need enough licenses to support ALL the active Security Contexts when failover occurs. This means that you need Security Context licenses on either Active / Active units to cover the total number of contexts. This is still the same number as Active / Standby.
From the documentation: Or you have two ASA 5540 adaptive security appliances, one with 20 contexts and the other with 10 contexts; the combined license allows 30 contexts. For Active/Active failover, for example, one unit can use 18 contexts and the other unit can use 12 contexts, for a total of 30; the combined usage cannot exceed the failover cluster license.
Upgrade – Licenses are Cumulative
If you are upgrading from an older version and your ASA have existing licenses, they are added together. That is, if each ASA in a failover pair previously had five Security Context licenses, then the ASA Version 8.3 upgrade will provide TEN Security Context licenses in TOTAL.
Previously for V8.2 and earlier, you had to buy 5 Security Context licenses for both the Active and Standby ASA unit.
Warning – Licenses are install where ?
Note that the licenses are actually still installed on each physical unit in the upgrade case. That is, unless you change the licenses, each firewall has Five Context licenses. If you separate the pair, then each firewall will have the orginal license. If you decide to separate the pair, and want to keep the 10 Security Context licenses on one of the units, you will need to perform some sort of license transfer from one chassis to the other. I believe that this will require a call to the TAC to get the licenses fixed (does anyone know for sure ?)
What happens when a pair is broken
In gory, confusing, convoluted detail at this section
If the failover units lose communication for more than 30 days, then each unit reverts to the license installed locally. During the 30-day grace period, the combined running license continues to be used by both units.
If you restore communication during the 30-day grace period, then for time-based licenses, the time elapsed is subtracted from the primary license; if the primary license becomes expired, only then does the secondary license start to count down.
If you do not restore communication during the 30-day period, then for time-based licenses, time is subtracted from both primary and secondary licenses, if installed. They are treated as two separate licenses and do not benefit from the failover combined license. The time elapsed includes the 30-day grace period.
.
So if you separate the pair, the license file that is explicitly installed to that physical unit will stay there. After thirty days any “shared” license will expire and features will disappear.
The EtherealMind View
- This is messy and you are likely to make a mistake that has unintended consequences. Especially operational staff who have mixed and matched equipment so often that it almost standard practice and they are going to make some serious mistakes with this by not capturing their licenses.
- None of this seems intuitive to me. The marketing people have made this too complicated when setting their pricing plans.
- Cisco can charge what they like for their products, but this isn’t making it easy to design or buy their products. Other products don’t have these licensing concerns.
Ah well. I’ll smile as I go under the truck I guess.
Greg – Good piece. I knew there were a lot of new changes in the 8.3 release but hadn’t realized Cisco finally got smart(er) about licensing for failover pairs. The fact that you had to buy identical licensing for a failover cluster always annoyed me. And yes, I agree that this approach is clunky and a bit messy however, one could hope that maybe they will make it less clunky in future releases. 🙂
Now, does this apply to ALL feature sets, including SSL VPN? 🙂 (Of course I haven’t RTFM…yet. 🙂
In principal, the same ideas apply for all ASA licenses such as SSL VPN, Content Filtering where the licenses are purchased only once and shared between failover units. This extends even further into time-based licensing for global deployments where you can move licenses in a “follow the sun”.
Personally, this is over complicated. Cisco should have lowered the price and let customers buy more licenses. Of course, whether customers are intelligent enough to comprehend this idea (cheap simple licensing that you buy more of) is a whole other discussion.
While I see your point this is how it was in the days of the PIX and it was much better. Having to buy individual licenses per box was cost prohibitive and just a waste. There is a primary and a standby when it come to the pair so why not have a set of licenses that get moved from one box to another.
If the licenses were half the price, would they still be cost prohibitive ? A better solution would have been to make the licenses much cheaper so that customers didn’t complain. Now we waste a lot of money and effort on license compliance and operational processes when a failure occurs.
Stupid waste of time. Simple is always better.
Just to make clear you still need to buy security plus licenses for both ASA’s in the firewall pair. It is not the same as the PIX where you bought a UR License (expensive) and a FO License (cheap). With the ASA you still need two Security Plus License (expensive) for failover.
The changes mainly affect additional licenses such as SSL VPN where you can now only buy for one unit instead of two.