I twittered earlier today about what licenses are required for failover in Cisco ASA Version 8.3. Foolishly I didn’t take the time to check the documentation (Thanks to Andy @Sholomon who replied) (( In my defence, I’d like to point out that Cisco documentation hasn’t been well maintained lately and that’s why I have tended to not look there first. That and Cisco hasn’t been good about clearly documenting licensing over the last ten years. That’s my excuse and I’m sticking to it ))
From the Managing Feature Licenses for Cisco ASA 5500 Version 8.3 documentation.:
Failover License Requirements
Failover units do not require the same license on each unit.
Older versions of adaptive security appliance software required that the licenses match on each unit. Starting with Version 8.3(1), you no longer need to install identical licenses. Typically, you buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active. If you have licenses on both units, they combine into a single running failover cluster license.
So from reading this I conclude the following for Version 8.3 :
- If I am designing for Active / Standby I need only one Context Feature license. The standby unit does not need a Security Context license
- If you are designing for Active / Active then you need enough licenses to support ALL the active Security Contexts when failover occurs. This means that you need Security Context licenses on either Active / Active units to cover the total number of contexts. This is still the same number as Active / Standby.
From the documentation: Or you have two ASA 5540 adaptive security appliances, one with 20 contexts and the other with 10 contexts; the combined license allows 30 contexts. For Active/Active failover, for example, one unit can use 18 contexts and the other unit can use 12 contexts, for a total of 30; the combined usage cannot exceed the failover cluster license.
Upgrade – Licenses are Cumulative
If you are upgrading from an older version and your ASA have existing licenses, they are added together. That is, if each ASA in a failover pair previously had five Security Context licenses, then the ASA Version 8.3 upgrade will provide TEN Security Context licenses in TOTAL.
Previously for V8.2 and earlier, you had to buy 5 Security Context licenses for both the Active and Standby ASA unit.
Warning – Licenses are install where ?
Note that the licenses are actually still installed on each physical unit in the upgrade case. That is, unless you change the licenses, each firewall has Five Context licenses. If you separate the pair, then each firewall will have the orginal license. If you decide to separate the pair, and want to keep the 10 Security Context licenses on one of the units, you will need to perform some sort of license transfer from one chassis to the other. I believe that this will require a call to the TAC to get the licenses fixed (does anyone know for sure ?)
What happens when a pair is broken
In gory, confusing, convoluted detail at this section
If the failover units lose communication for more than 30 days, then each unit reverts to the license installed locally. During the 30-day grace period, the combined running license continues to be used by both units.
If you restore communication during the 30-day grace period, then for time-based licenses, the time elapsed is subtracted from the primary license; if the primary license becomes expired, only then does the secondary license start to count down.
If you do not restore communication during the 30-day period, then for time-based licenses, time is subtracted from both primary and secondary licenses, if installed. They are treated as two separate licenses and do not benefit from the failover combined license. The time elapsed includes the 30-day grace period.
So if you separate the pair, the license file that is explicitly installed to that physical unit will stay there. After thirty days any “shared” license will expire and features will disappear.
The EtherealMind View
- This is messy and you are likely to make a mistake that has unintended consequences. Especially operational staff who have mixed and matched equipment so often that it almost standard practice and they are going to make some serious mistakes with this by not capturing their licenses.
- None of this seems intuitive to me. The marketing people have made this too complicated when setting their pricing plans.
- Cisco can charge what they like for their products, but this isn’t making it easy to design or buy their products. Other products don’t have these licensing concerns.
Ah well. I’ll smile as I go under the truck I guess.