ASA5520 HA license upgrade from 25 to 100 users

Hi Experts,

I have 2 ASA5520’s configured for HA Active/Failover setup and need to upgrade my license from 25 to 100 users for SSL. I have a few questions and need clarification before moving forward with the upgrade.

Cisco Adaptive Security Appliance Software Version 8.2(1)

1. Do I need to purchase 2 separate license keys to install on each of my ASA’s and if the answer is yes does the key need to be register to the serial number of each  ASA5520?
2. The key that was issue to me to use for the upgrade was only 11 numbers and letters long. Is this correct or do I need the five-element hexadecimal string with one space between each element for example 0x2e04c541 0x9c0d5591 0x2c405824 0xaaf310e7 0xc01211a2 to upgrade?
3. Could you please provide a good documentation process on upgrading the license for ASA5520’s running active/failover?
db21Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ksims1129Commented:
1.Yes sir you need a key for each appliance due to them having 2 different serial numbers
2.thats not the key. that is what you would call a pak (Product Authorization Key) to retrieve your serial number go to http://www.cisco.com/go/license
3.http://www.cisco.ws/en/US/prod/collateral/switches/ps5718/ps7077/QandA_Software_Activation.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
db21Author Commented:
ksims,

thanks for your speedy reply.  so does the PAK need to be register by my cisco channle partner for each serial number then? he just gave me 2 PAK's and he said that it doesn't matter which key i use for each ASA. I am not comfortable with the suggestion, thats how I end up asking the experts.

thanks
db
 
0
ksims1129Commented:
yes they do but since you have the pak that means they he has already registered the paks to your devices serial numbers. once you go to cisco.com/go/license it will ask you for the pak and the serial number of the device. once completed you will be emailed the hexadecimal key used to activate the services on the asa
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

db21Author Commented:
I think one of the pak is registered to my other ASA 5520 and not for the secondary ASA. My channel partner gave me 2 key's to use, one for the pair ASA5520'S I have running HA (he wasn't aware that I needed 2 keys)  and another one for the single ASA5520 I have. I think he is giving me the other license key for the single ASA to use for the secondary. He told me that I can just use the keys.

From what you are saying, my channel partner needs to register the pak to the serial numbers of my primary/secondary ASA's for the pak to work when I proceed with the install, am I correct?

Thanks
db
0
gavvingCommented:
If you have the PAK and not the activation key, then they have not been assigned to specific firewalls and can be applied to any one you choose that fits the license.  

If you have 2 ASA's in HA mode (active/active or active/standby), then you MUST have 2 SSL licenses applied to both (assuming premium SSL licenses).  Both firewalls in the HA pair must have the exact same licenses applied, or the HA pair will break automatically.  There is an exception to this, but it depends on the type of licenses you have and are adding.  Cisco introduced an Shared license that can be shared between firewalls.

Sounds like you actually have 3 firewalls, and 2 licenses.  Your going to need 3 licenses.  

Here's Cisco's run down of the current licenses for Remote Access (some of these licenses require at least 8.0.3 and some up to 8.2.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/overview_c78-527488.html
0
db21Author Commented:
I'm going to assign one PAK to my Primary ASA and the other PAK to my Failover.  I guess what I need to clarify from  is when you say "Both firewalls in the HA pair must have the exact same licenses applied, or the HA pair will break automatically"

Since I'm going to have 2 sets of activation key for my Primary/ Secondary ASA's will this break my HA environment?

db
0
gavvingCommented:
Yes to install the new activation keys you, your HA failover configuration will have to be disabled for a short time.  This key installation does not require a reload, so it should be doable without any outage.  Here's Cisco's document on the procedure: http://www.cisc.info/en/US/docs/security/asa/asa80/license/license80.html#wp85871

Once you've got the license upgraded on both firewalls in the failover pair, you'll be able to reenable the failover function according to the documentation and it should work fine.
0
db21Author Commented:
Gaving,

I get the Attached error for both PAK's and serial numbers for my ASA's. Any idea why?


Thanks
db
ASA5520PriErrorA.JPG
0
gavvingCommented:
I'm not exactly sure.  That license should load on the 5520 just fine.  There may be something odd that's causing it to fail to apply.  Normally when you go through the license process, you put in the PAK number, then the serial number of the device.  The error says something about an old and new serial number which doesn't make any sense to me.  

You may have to contact TAC and have them create the license for you if the webpage won't work.  That has happened to me before where I've had to call it in for one reason or another.

0
db21Author Commented:
I contacted Cisco and the problem was since i have 25 current SSL license you cannot just  jump to 100. you have to follow the license upgrade process which is 25 50 75 100. Cisco was able to help me adjust the licence so that when i load the key i only get 100 ssl instead of 125 ssl.

thanks for your help
db
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.