Cisco Cisco ASA 5585-X Adaptive Security Appliance Information Guide
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 5 of 25
Both units in an ASA 5512-X through ASA 5555-X system require the IPS module license. You also need the IPS
signature subscription on the IPS side for both units. See the following guidelines:
●
To buy the IPS signature subscription you need the ASA with IPS preinstalled (the part number must
include “IPS”: for example, ASA5515-IPS-K9); you cannot buy the IPS signature subscription for a non-
“IPS” part number ASA.
include “IPS”: for example, ASA5515-IPS-K9); you cannot buy the IPS signature subscription for a non-
“IPS” part number ASA.
●
You need the IPS signature subscription on both units; this subscription is not shared in failover because it
is not an ASA license.
●
The IPS signature subscription requires a unique IPS module license for each unit. Like other ASA licenses,
the IPS module license is technically shared in the failover Cluster license. However, because of the IPS
signature subscription requirements, you must buy a separate IPS module license for each unit.
For ASAv CPU failover deployments, you must make sure that the standby unit has the same number of virtual
CPUs assigned to it as the primary unit (along with matching vCPU licenses).
Note: A valid permanent key is required; in rare instances, your authentication key can be removed. If your key
consists of all zeros, then you need to reinstall a valid authentication key before failover can be enabled.
Q. What are the licensing requirements for ASA clustering?
A. Please see Table 1.
Table 1.
Licensing Requirements for Cisco ASA Cluster Units
Model
License Requirement
Cisco ASA 5585-X
Cluster license supporting up to 16 units. A Cluster license is required on each unit. For other feature licenses,
cluster units do not require the same license on each unit. If you have feature licenses on multiple units, they
combine into a single running ASA Cluster license.
cluster units do not require the same license on each unit. If you have feature licenses on multiple units, they
combine into a single running ASA Cluster license.
Note: Each unit must have the same encryption license and the same 10 GE I/O license
Cisco ASA 5512-X
Security Plus license supporting 2 units.
Note: Each unit must have the same encryption license.
Cisco ASA 5515-X,
ASA 5525-X,
ASA 5545-X,
ASA 5555-X
Base license supporting 2 units.
Note: Each unit must have the same encryption license.
All other models
No support.
Q. How do licenses combine for failover pairs or cluster units?
A. For failover pairs or ASA clusters, the licenses on each unit are combined into a single running Cluster license.
If you buy separate licenses for each unit, then the combined license uses the following rules:
For licenses that have numerical tiers, such as the number of sessions, the values from each unit’s licenses
are combined up to the platform limit. If all licenses in use are time-based, then the licenses count down
simultaneously.
Failover Examples
●
You have two ASAs with 10 AnyConnect Premium sessions installed on each. The licenses will be
combined for a total of 20 AnyConnect Premium sessions.
●
You have two ASA 5525-Xs with 500 AnyConnect Premium sessions each. Because the platform limit is
750, the combined license allows 750 AnyConnect Premium sessions.