1-30
Cisco ASA Series CLI Configuration Guide
Chapter 1 Managing Feature Licenses
Information About Feature Licenses
Failover or ASA Cluster Licenses
With some exceptions, failover and cluster units do not require the same license on each unit. For earlier
versions, see the licensing document for your version.
This section includes the following topics:
• Failover License Requirements and Exceptions, page 1-30
• ASA Cluster License Requirements and Exceptions, page 1-30
• How Failover or ASA Cluster Licenses Combine, page 1-31
• Loss of Communication Between Failover or ASA Cluster Units, page 1-31
• Upgrading Failover Pairs, page 1-32
Failover License Requirements and Exceptions
Failover units do not require the same license on each unit.
Older versions of ASA software required that the licenses match on each unit. Starting with Version
8.3(1), you no longer need to install identical licenses. Typically, you buy a license only for the primary
unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active.
If you have licenses on both units, they combine into a single running failover cluster license.
The exceptions to this rule include:
• Security Plus license for the ASA 5505, 5510, and 5512-X—The Base license does not support
failover, so you cannot enable failover on a standby unit that only has the Base license.
• Encryption license—Both units must have the same encryption license.
• IPS module license for the ASA 5512-X through ASA 5555-X—The IPS module license lets you
run the IPS software module on the ASA. You must also purchase a separate IPS signature
subscription for each unit. To obtain IPS signature support, you must purchase the ASA with IPS
pre-installed (the part number must include “IPS”). The combined failover cluster license does not
let you pair non-IPS and IPS units. For example, if you buy the IPS version of the ASA 5515-X (part
number ASA5515-IPS-K9) and try to make a failover pair with a non-IPS version (part number
ASA5515-K9), then you will not be able to obtain IPS signature updates for the ASA5515-K9 unit,
even though it has an IPS module license inherited from the other unit.
Note A valid permanent key is required; in rare instances, your authentication key can be removed. If your
key consists of all 0’s, then you need to reinstall a valid authentication key before failover can be
enabled.
ASA Cluster License Requirements and Exceptions
Cluster units do not require the same license on each unit. Typically, you buy a license only for the
master unit; slave units inherit the master license. If you have licenses on multiple units, they combine
into a single running ASA cluster license.
The exceptions to this rule include:
• Clustering license—Each unit must have a clustering license.
• Encryption license—Each unit must have the same encryption license.
To Next Page
Loading...
Need help?
General
