[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

ASA5520  HA license upgrade from 25 to 100 users

Posted on 2010-04-10
10
Medium Priority
?
901 Views
Last Modified: 2012-08-14
Hi Experts,

I have 2 ASA5520’s configured for HA Active/Failover setup and need to upgrade my license from 25 to 100 users for SSL. I have a few questions and need clarification before moving forward with the upgrade.

Cisco Adaptive Security Appliance Software Version 8.2(1)

1. Do I need to purchase 2 separate license keys to install on each of my ASA’s and if the answer is yes does the key need to be register to the serial number of each  ASA5520?
2. The key that was issue to me to use for the upgrade was only 11 numbers and letters long. Is this correct or do I need the five-element hexadecimal string with one space between each element for example 0x2e04c541 0x9c0d5591 0x2c405824 0xaaf310e7 0xc01211a2 to upgrade?
3. Could you please provide a good documentation process on upgrading the license for ASA5520’s running active/failover?
0
Comment
Question by:db21
  • 5
  • 3
  • 2
10 Comments
 
LVL 5

Accepted Solution

by:
ksims1129 earned 400 total points
ID: 30359867
1.Yes sir you need a key for each appliance due to them having 2 different serial numbers
2.thats not the key. that is what you would call a pak (Product Authorization Key) to retrieve your serial number go to http://www.cisco.com/go/license
3.http://www.cisco.ws/en/US/prod/collateral/switches/ps5718/ps7077/QandA_Software_Activation.html
0
 

Author Comment

by:db21
ID: 30360940
ksims,

thanks for your speedy reply.  so does the PAK need to be register by my cisco channle partner for each serial number then? he just gave me 2 PAK's and he said that it doesn't matter which key i use for each ASA. I am not comfortable with the suggestion, thats how I end up asking the experts.

thanks
db
 
0
 
LVL 5

Assisted Solution

by:ksims1129
ksims1129 earned 400 total points
ID: 30418053
yes they do but since you have the pak that means they he has already registered the paks to your devices serial numbers. once you go to cisco.com/go/license it will ask you for the pak and the serial number of the device. once completed you will be emailed the hexadecimal key used to activate the services on the asa
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 

Author Comment

by:db21
ID: 30468261
I think one of the pak is registered to my other ASA 5520 and not for the secondary ASA. My channel partner gave me 2 key's to use, one for the pair ASA5520'S I have running HA (he wasn't aware that I needed 2 keys)  and another one for the single ASA5520 I have. I think he is giving me the other license key for the single ASA to use for the secondary. He told me that I can just use the keys.

From what you are saying, my channel partner needs to register the pak to the serial numbers of my primary/secondary ASA's for the pak to work when I proceed with the install, am I correct?

Thanks
db
0
 
LVL 9

Assisted Solution

by:gavving
gavving earned 600 total points
ID: 30479455
If you have the PAK and not the activation key, then they have not been assigned to specific firewalls and can be applied to any one you choose that fits the license.  

If you have 2 ASA's in HA mode (active/active or active/standby), then you MUST have 2 SSL licenses applied to both (assuming premium SSL licenses).  Both firewalls in the HA pair must have the exact same licenses applied, or the HA pair will break automatically.  There is an exception to this, but it depends on the type of licenses you have and are adding.  Cisco introduced an Shared license that can be shared between firewalls.

Sounds like you actually have 3 firewalls, and 2 licenses.  Your going to need 3 licenses.  

Here's Cisco's run down of the current licenses for Remote Access (some of these licenses require at least 8.0.3 and some up to 8.2.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/overview_c78-527488.html
0
 

Author Comment

by:db21
ID: 30511199
I'm going to assign one PAK to my Primary ASA and the other PAK to my Failover.  I guess what I need to clarify from  is when you say "Both firewalls in the HA pair must have the exact same licenses applied, or the HA pair will break automatically"

Since I'm going to have 2 sets of activation key for my Primary/ Secondary ASA's will this break my HA environment?

db
0
 
LVL 9

Assisted Solution

by:gavving
gavving earned 600 total points
ID: 30513286
Yes to install the new activation keys you, your HA failover configuration will have to be disabled for a short time.  This key installation does not require a reload, so it should be doable without any outage.  Here's Cisco's document on the procedure: http://www.cisc.info/en/US/docs/security/asa/asa80/license/license80.html#wp85871

Once you've got the license upgraded on both firewalls in the failover pair, you'll be able to reenable the failover function according to the documentation and it should work fine.
0
 

Author Comment

by:db21
ID: 30562508
Gaving,

I get the Attached error for both PAK's and serial numbers for my ASA's. Any idea why?


Thanks
db
ASA5520PriErrorA.JPG
0
 
LVL 9

Assisted Solution

by:gavving
gavving earned 600 total points
ID: 30565422
I'm not exactly sure.  That license should load on the 5520 just fine.  There may be something odd that's causing it to fail to apply.  Normally when you go through the license process, you put in the PAK number, then the serial number of the device.  The error says something about an old and new serial number which doesn't make any sense to me.  

You may have to contact TAC and have them create the license for you if the webpage won't work.  That has happened to me before where I've had to call it in for one reason or another.

0
 

Author Comment

by:db21
ID: 31942645
I contacted Cisco and the problem was since i have 25 current SSL license you cannot just  jump to 100. you have to follow the license upgrade process which is 25 50 75 100. Cisco was able to help me adjust the licence so that when i load the key i only get 100 ssl instead of 125 ssl.

thanks for your help
db
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question