Cisco VPN :: ASA5510 - ASA Failover Setup - SSL VPN License / Certificate Requirement?
Apr 4, 2011
I have setup ASA5510 in failover mode. I am planning to use this setup for clientless SSL VPN and have following questions.
1. Do I have to license both firewalls for SSL VPNs? These licenses are very expensive and why would I have to purchase it for secondary when I am not using it?
2. SSL vertificate for the firewall it self. Do I have to acquire one or two to ensure users don't get annoying message about self signed certificate? Cisco doesn't seem to have this discussion in any documents. However I found following URL discussing from somebody's experience. What's official statement from Cisco on this matter? [URL]
View 1 Replies
ADVERTISEMENT
Aug 16, 2011
I want to configure IOS SSL VPN on C1941 Router. let me know if any additional License is required for that.
View 1 Replies
View Related
Nov 9, 2011
I have cisco 3750 with ipservices license and I am running with c3750e-universal-mz.122-50.SE2. And I would like to upgrade the IOS " k9" IOS. ie c3750e-universalk9-mz.122-50.SE2. Is there any license required for that ?Also any difference in the IOS upgrade procedure.
View 1 Replies
View Related
Jan 14, 2013
A simple question - I have ASA 5520s and was wondering what license is required to create multiple (more than default 2) security contexts.
The ASA already have ASA 5520 VPN Plus license.
Software Version 8.4(1)
View 2 Replies
View Related
Dec 21, 2012
Currently my ASA5510 has a 64MB internal flash. Does the ASA require a higher capacity flash for an IOS upgrade from 7.2(x) to 8.2(x)? The Cisco Release Notes does not state any internal flash requirement, but just wanted to double check.
View 2 Replies
View Related
Apr 28, 2013
I have a strange issue with certificate based authentication anyconnect. We have an ASA with two internet links, both have a CA authenticated Cert for anyconnect VPN’s. We have an anyconnect client profile also, when we simulate a link failure on the ASA the anyconnect should automatically attempt a re-connect to the backup server list in its configuration (which is the other interface on the ASA 5580) which it does but we get a certificate trust error.
View 3 Replies
View Related
Jul 12, 2011
i was setting up an ssl vpn on an asa 5540 (8.2) but can't set up the local ca authority
its an active/standby failover pair
i knew it wasn't enabled on active/active but i didn't realise it was also not enabled on active/passive has any one came across this or know whether it can be enabled?
View 4 Replies
View Related
Apr 19, 2011
I am looking for redundant asa deployment for fail over set up . however both units have csc cards. does this product ASA5510-CSC10-K9 has license for fail over ? what's the part no for asa failover license ?
View 2 Replies
View Related
Apr 15, 2013
I have a running ASA5520 in my network and recently we plan to add a failover pair as a standby unit for the running asa. Both of the ASA have the same specs and software. the only thing that the soon to be secondary ASA does not have is the AnyConnect Essential license. is it still possible for the unit to be the standby unit?
below is the license capture from both of the unit.
Running ASA:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
[Code].....
View 3 Replies
View Related
Jun 3, 2013
According to the link here:[URL]Starting with Version 8.3(1), it no longer needs to install identical licenses. Typically, we only buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active.So I wanna know if there's some additional configuration to synchronize the licenses such as SSL VPN or Context between the primary one and the second one? Or they can just synchronize by default as soon as I finish the failover configuration and when the primary one gets down, the second one will take over the role including licenses automatically?
View 4 Replies
View Related
May 22, 2011
According to Cisco, one of the ASAs must have an Unrestricted License [URL]:
"On the PIX/ASA Security appliance platform, at least one of the units must have an unrestricted (UR) license. The other unit can have a Failover Only Active-Active (FO_AA) license, or another UR license. Units with a Restricted license cannot be used for failover, and two units with FO_AA licenses cannot be used together as a failover pair."I am unfamiliar with the different ASA licenses, so with my current license, I am unable to enable failover on my two ASAs. Here is a snippet of the "show version" output on one of my ASAs (they are the same as far as licenses go):
Licensed features for this platform:Maximum Physical Interfaces : UnlimitedMaximum VLANs : 250Inside Hosts : UnlimitedFailover : Active/ActiveVPN-DES : EnabledVPN-3DES-AES : EnabledSecurity Contexts : 5GTP/GPRS : DisabledSSL VPN Peers : 10Total VPN Peers : 5000Shared License : DisabledAnyConnect for Mobile : DisabledAnyConnect for Cisco VPN Phone : DisabledAnyConnect Essentials : DisabledAdvanced Endpoint Assessment : DisabledUC Phone Proxy Sessions : 2Total UC Proxy Sessions : 2Botnet Traffic Filter : Disabled
This platform has an ASA 5550 VPN Premium license.
View 5 Replies
View Related
Mar 3, 2011
I Have ASA 5510. And I had two ISPs and I need to configure ISP failover. So which license i need? I Had License ASA-CSC10-PLUS License.
View 1 Replies
View Related
Oct 25, 2012
I just upgraded our AnyConnect package on our ASA5510 from 3.06xxx to 3.1. When I tried to log in to the website to automatically install the client, it showed me a big error saying the Certificate is untrusted and I have to explicitly accept it. After accepting it, I had to restart the installation.Is there a way to disable this strict certificate trust setting? We don't have a valid SSLVPN certificate yet, but this big error will confuse endusers.
View 8 Replies
View Related
Nov 1, 2011
I used to have this situation where I need to replace faulty ASA5510 (this FW did not failover to standby FW) with the new one.
But the problem is the new ASA5510 came with Base License only not with Security Plus License which is needed to allow this brand new device to be configure failover.
how do I pull out Security Plus License from old FW and switch it to new FW (Base License) and activate to Security Plus License.
View 5 Replies
View Related
Mar 24, 2013
We apply a new anyconnect mobile license to our primary asa 5520 and the failover feature went into an off state. WE have now applied a second purchased anyconnect mobile to our secondary asa but the failover is still inactive/off.
bcoh1fw50# sh failover state
State Last Failure Reason Date/Time
This host - Primary
Disabled Ifc Failure 14:43:21 EST Jan 30 2013
[Code].....
View 3 Replies
View Related
Apr 21, 2013
Lately we have been comsidering an upgrade in our organization involving a 1921 router. The main role it will play is a load balancer/failover between 2 connections from 2 different ISPs. what additions are required to be added to this piece of equipment to make the configuration work. Im researching the matter now and it seems an extra card whould be purchased in addition to the router. Also, i cant seem to find much information on the available licenses to go with the router. will i need a special license to utilize the balancer/failover feature? (ip base, data, SEC).
View 2 Replies
View Related
Jul 5, 2011
I have a customer that has an asa5505 who purchased the ASA5500-SSL-25 license.He is now going to replace/upgrade to a 5510.Can he just install the license on the new ASA, providing that he gets some trade-in on the 5505.Does he have to purchase it all over again.
View 1 Replies
View Related
May 21, 2013
i have bought the below licenses for the ASA5510 to upgrade from 2 to 250 users and yet i can give access to 2 users only.
L-ASA-AC-M-5510=
L-ASA-AC-E-5510=
Kindly find attached the "show version"
View 6 Replies
View Related
Mar 6, 2013
Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver?
View 8 Replies
View Related
May 9, 2012
Trying to set up a stateful failover with two. asa5510
Here is what I have so far, tell me if this looks right. The ip address are set to 0.0.0.0 only for this discussion.
Config Primary Firewall:
config t
interface management 0/0 ip address 0.0.0.0 255.255.255.252 standby 0.0.0.0
interface eth 0/0
[Code].....
View 7 Replies
View Related
Jul 30, 2012
I have an ASA5510 and I would like to implement something like this: have two ports patched in and ready but only one active, the other one in standby (when the first one goes down the other port comes up and all the traffic goes down this way), all these on one physical box. So, it's basically like port failover on the same box.
View 1 Replies
View Related
Nov 11, 2012
I have a pair of ASA5510 currently running as a failover pair. For some reason we need to move one of the firewall to another site, is there any best practice on splitting up the failover pair then I can re-configure the secondary unit offline?
I'm thinking to power down the secondary unit, unplug it from the network totally then erase the configuration on the secondary unit on console so I can re-configure it. For the primary unit, I will disable the faiolver config by "no failover" on the primary unit. Is that necessarily all thing for splitting up the failover cluster?
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB(code)
View 2 Replies
View Related
May 11, 2011
I have just finished setting up two ASA5510s in Active/Standby Staeful failover, using the Management interface for both failover and state. Everything appears to be working well.Configurations were transferred and the "sh failover" on both accurately reports their status before and after a failing the active device.I monitored the inside IP with a continuous ping (using a Windows client) and noticed that there were usually two to three ping responses lost. Is this normal?
View 1 Replies
View Related
Aug 28, 2011
My customer had a spare ASA5510 bought a few years before with 5 x FE and security plus license with HA. Now they would like to buy a new ASA5510 to configure HA with the spare one, but now the ASA5510 comes with 2GE+3FE. Can the two FW work in HA?
View 4 Replies
View Related
Jun 24, 2011
Do I correctly understand that when two ASA 5510 are in fail over pair, the switchover from primary to secondary if one interface of primary goes down shall happen ONLY if failover link is up? So when the fail over link is down and one interface on primary got down also, interface tests between the two ASAs still are being done , but secondary SHALL NEVER try to become active.
In this case why to make tests on data interfaces ? What is the reason to make them? If the knowledge of that some interfaces of primary became down comes through failover link - no need to make additional interface tests - primary will tell about the failure to secondary. If so should run no monitor-interface if name command to dis load devices and network by foolish tests?
View 5 Replies
View Related
Oct 24, 2011
we have a customer with a ASA 5510 with a CSC module in it. The device tells us the Base license has expired. The new license has been renewed - after - the grace period. The Trendmicro site tells us the Base license is valid until 21 october 2013 but the CSC refuses to acknowledge this. The module is able to fetch updates form the Internet so it does not look like a connection problem to me (it also has a plus license which is also valid till far into 2013 and that one works).Is it possible that the current license key is "dead" and the CSC expects a new license key because the grace period was expired?
View 1 Replies
View Related
Apr 30, 2012
Is it possivble to have 10 security licenses, license to a Cisco 5510 and have them transfeered to a Cisco5520?
View 1 Replies
View Related
Jan 22, 2013
I am a single ASA-5510 with CSC module.I want to pair it for active/standby mode for failover .... can it be done if second ASA doesn't have the module? Can I assume the in case of a failover, the traffic won't be checked, and primary does in case CSC module fails?
View 2 Replies
View Related
Dec 28, 2011
Is it possible to have this setup on RV016?
WAN1: VOIP traffic (either by port or IP) + failover for WAN 2 WAN2: all other traffic + failover for WAN1 WAN3: failover for WAN1 & WAN2 with connection on demand
View 0 Replies
View Related
Oct 30, 2012
have been tasked with completing a Cisco config update on an ISR.Client is running a Cisco 2911 running IOS version is 15.0(1)M6.They have added a new WAN interface to GigabitEthernet0/2 and are looking to setup a basic failover configuration to augment their current 0/0 Fiber connection.
View 7 Replies
View Related
Apr 16, 2011
I have a ASA5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.Secondly request also they need failover over the ISP link.how we implement the same on ASA 5510.
View 0 Replies
View Related
Mar 20, 2013
I have been given a task, where I need to create a failover setup from a 1800 Cisco router to a LAN network 2 hobs away (see topology).The reason I have been given this task is because the wireless links are not so realiably, but necessary.I'm thinking of doing this failover task with IP SLA on the routers fiber 1 and fiber 2 link, so when/if one off the links goes down, it instantly chooses the other link.I have also been thinking about implementing STP instead, and replace the router with a switch, but i'm not sure exactly how to implement it. Unfortunately I'm not able to test anything, as we are still waiting for the fiber lines, but I want to be prepared as much as possible.
View 5 Replies
View Related
Apr 1, 2012
What I am attempting to do is setup snmpv3 on two failover 5510's .The problem I am running into, the snmp management software rejects one of the devices as it sees it as having a duplicate engine ID since the two devices share the same config. Would like to know how this would work in an active/active setup being able to poll both devices.
View 2 Replies
View Related
