I need your support for upgrading the Security context license on 5550, at present we have 5 Security context license installed in ASA but we want it to increased till 10 conctexts. I want to understand if we need to get addtional 5 Security context license or 10.
This is the situation I got to firewalls with failover and I need to upgrade the license so I can get more context (right now I have 5 context and I need 10) so I was looking at the procedure and I'm not sure If I need to restart the device or not. I was looking at this procedure:
Upgrading the License for a Failover using ASDM (No Reload Required) Use the following procedure using ASDM if your new license does not require you to reload. This procedure ensures that there is no downtime.
•1. On the active unit, choose Configuration > Device Management > High Availability > Failover > Setup, and uncheck the Enable Failover check box. Now click Apply. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match. •
2. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the active unit serial number. Now click Update Activation Key.•
3. Log into the standby unit by double-clicking its address in the Device List. If the device is not in the Device List, click Add to add the device. You might be prompted for credentials to log in.
4. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the standby unit serial number. Now click Update Activation Key.
5. Log into the active unit again by double-clicking its address in the Device List. Choose Configuration > Device Management > High Availability > Failover > Setup, and re-check the Enable Failover check box.
6. Click Apply. This completes the procedure.link: [URL]
But then I checked on the cisco web page that there are some license that need to reload I see this:
#Downgrading any license (for example, going from 10 contexts to 2 contexts).#Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
So I just want to know if I'm UPGRADING from 5 to 10 context the reload applies to my situation or not?
I have a firewall module in a Switch Catalyst 6500. I wan to upgrade its context capacity to a greater capacity. When I looked it in the Dynamic configuration, it send me following number parts:
The first one is the license to have 20 context and the next one is upgrade from 20 context to 50 context. My problem is that I haven't could find a service support contract associate them.I want to know if they have or not service contract, because I can´t find them.
What's the difference between VPN Plus license and Security Plus license. I have new 5520 shipped with VPN Plus license.Also does it require a seperate license for Anyconnect for Mobile and AnyConnect Essentials.
Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver?
I have a ASA 5510 and planning to implement multiple context in a 2 tier security level and vrf-lite. meaning I have 2xASA facing the internet and below that a 2x3560 switch for our extranet and below that is another 2xASA for intranet. See diagram below. In this kind of network I want to know how it would impact the total throughput and resources of the ASA using multiple context?
I have a active-active setup with 2 cisco asa 5585x running 8.4 - the boxes ahve each 2 sec context's build-in - which gives 4 sec context in the cluster. I have 2 x 5 extra licenses (2 x ASA5500-SC-5) which I haven't applied yet - will this give me a total of 10 or 14 security contextes? I am a bit in doubt because if I only get 10 sec contextes in this cluster then could I instead get a single 10 security context license (1 x ASA5500-SC-10) and add this - hereby I would get 12 then.
I have cisco 3750 with ipservices license and I am running with c3750e-universal-mz.122-50.SE2. And I would like to upgrade the IOS " k9" IOS. ie c3750e-universalk9-mz.122-50.SE2. Is there any license required for that ?Also any difference in the IOS upgrade procedure.
I have setup ASA5510 in failover mode. I am planning to use this setup for clientless SSL VPN and have following questions.
1. Do I have to license both firewalls for SSL VPNs? These licenses are very expensive and why would I have to purchase it for secondary when I am not using it?
2. SSL vertificate for the firewall it self. Do I have to acquire one or two to ensure users don't get annoying message about self signed certificate? Cisco doesn't seem to have this discussion in any documents. However I found following URL discussing from somebody's experience. What's official statement from Cisco on this matter? [URL]
My corporate internal network is currently fire walled by an FWSM module on a 6513 switch. We have each security zone (we have eight) assigned to a FWSM context and have ACLs set up between the contexts and the enterprise LAN/WAN. Is it possible to support fire walling between these zones within a single security context? The reason I am asking is that we would like to purchase a second FWSM for use as a standby, but do not want to cough up the ~ $12K for the context license. We will ultimately be transitioning to ASAs for internal security, so do not want to spend more than we need to.
I have two ASA 5510 in an Active/Active failover configuration; On the first ASA I have a license for five security contexts, on the second one I have the default two. On the pair I configured seven security contexts and everything works as expected; so far so good. Let's suppose now that the first ASA (the one with the license for 5 contexts) goes up in smoke; all the contexts migrate to the surviving firewall and life is still good. But what happens if, for some reason, I need to reboot the second ASA before the first one is repaired? My guess is that it will come up with just its own license for two contexts and that I will not be able to operate all my virtual firewalls.
Do I need the security plus license to do HA with two 5520's?I was told by our purchasing department that the 5520 was supposed to be able to do HA out of the box, but when I look I see only the VPN + license. Does that mean I can download the security plus license? Or do I even need it on the 5520.
I have Cisco ASA5505 8.2(5) connected with Cisco 5520 8.2(1) via IPSEC tunnel, I was able to SSH from the inside 5520 to inside IP of the asa5505. but I after I upgrade the license to security plus at 5505 I lost the SSH and ASDM to inside IP of 5505 from the inside network of the 5520. however I still can use SSH and ASDM on outside IP of 5505.
I did a lot of testing to make it work but I couldn't I added SSH 0.0.0.0/0 inside and outside also I added acl on both interfaces. when I did a trace on the outside interface from the private network of 5520 to 5505 inside IP I got IPSEC spoofed by the way that trace only works with security plus because I try to test on all my other firewalls 8.2(5) it shows nothing and all my firewalls can accessed from the private network 5520 except the one with the security plus!
ASA 5510 security plus edition will it support active/active failover. and does it support context with securiyt plsu edition. and how many default context do we get with asa 5510 security plus edition.
We recently upgraded a ASA 5505 with the security plus license to allow us to add a second subnet, but are having a few problems configuring the second subnet. The original subnet we have configured 10.1.1.0 is able to access the internet without any problems. However the new subnet 10.1.5.0 is unable to access the internet and when we ran a trace packet the nat config nat (inside) 1 0.0.0.0 0.0.0.0 is showing as the rule that drops the packet.
Additionally we have not been able to get the 2 subnets to talk to each other even though same-security-traffic permit inter-interface is configured. How to configure the subnet 10.1.5.0 to access the internet or to get the subnets to communicate. Below is a streamlined version of our current config.
I have a ASA 5510 with Security Plus License and when I looked at the devices a few days ago I had 2 contexts, however after configuring the Mgm port as a regular port the contexts show 0, why? I can not find any post on the internet where this issue has happen: here is the output from show ver:
Cisco Adaptive Security Appliance Software Version 7.0(8) Compiled on Sat 31-May-08 23:48 by builders System image file is "disk0:/asa708-k8.bin"
i can configure a requirement type as audit (opposed to mandatory or optional), so the client will still access the network, the user will not be notified, and the information will be sent to the cas.It is possibile to generate an email or similar automated process to notify administrators on these audits?
I have to upgrade to an ASA 5510 CSC, and the new license is generated, the file you sent me licensing, only seen this:Activation Code not required for this renewal. Please go to "Administration> Product License" in the CSC SSM console and click "Check Status Online" to get the latest expiration date (BASE: 09/04/2014, PLUS: 09/04/2014).This means that what I have not make any upgrades or license charge in the ASA? Does the automatic update is made?
I have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?
I have at the moment an ASA5510 pair in Multiple Context configured. Everything is ok, but we use til now only ACL features.Now I would be interested in configuring 2 contexts, with IPSec VPNs. One VPN per context. But I cannot find any information if it would be possible to use a shared interface for both contexts. My wish would only be to spare public IPs.If I have to configure 100 VPNs in 100 contexts, do I need 100 public IPs ?
We have a old Cisco ASA5540 firewall running on firmware version 7.0 and also a Firewall Service Module (FSWM) running on firmware version 2.3.
My question is if I would like to upgrade the Cisco ASA5540 firmware version to 7.1 above and the FWSM firewall version to 3.1 above, any requirement on the memory size or hardware to perform the firmware upgrade activity, do I require to do some memory or hardware module upgrade activty first before the firmware upgrade ?
Any restriction, shortcoming and pre-requites to do before the firmware upgrade activity ?
Currently my ASA5510 has a 64MB internal flash. Does the ASA require a higher capacity flash for an IOS upgrade from 7.2(x) to 8.2(x)? The Cisco Release Notes does not state any internal flash requirement, but just wanted to double check.
Is it possible to use 1 or 2 of the 4 gigabit ethernet ports from one ACE straight into the other ACE for redundancy? So ACE_01 gig0/4 to ACE_02 gig0/4.If so, is it a case of just having the layer 3 config instead of trunking etc..Also - is it possible to create a context within the same vlan as the Admin context?