Smartnet Contracts for SSM-20's installed in a pair of ASA5520 in Active/Standby Failover

I have two ASA5520 configured in Active/Standby Failover.  I have two SSM-20 Modules that I'm going to install and configure in these ASA's.  Now as you know, in Active/Standby, only one device is being used, the other device it just sitting there waiting to take over.  Now Cisco tell's me that the SSM configurations do not replicate from the active unit to the standby unit as they are independent and both need to be configured manually.  They also said I will need to purchase a smartnet contract for both SSM's even though I'm only using one at a time.  I am furious as an contract for an SSM is about $3,000.  I can't afford two of them.  Does anyone have a way around this?  I refuse to purchase a contract for both SSM's when I'm only using one at t time.  I know with AnyConnect licensing I only need to buy one license in for an Active/Standby pair.  This is not right in my eye's.
LVL 4
denver218Asked:
Who is Participating?
 
Ken BooneNetwork ConsultantCommented:
You are correct.  The license is what lets the SSM update its signatures.  However, with the SSM modules, since they are independent, the ASAs won't care if one has a license and one doesn't as far as failover goes.  So you should be able to have your active/standby running.  The issue is that if it fails to the ASA with the non licensed SSM, it won't be current.  You have to decide what the risk is in running that way for a brief period of time while you fix the reason it failed over versus the $2700.
0
 
Ernie BeekExpertCommented:
Well, what I did in the past, when having multiple identical devices was: purchase one smartnet. When a device broke down, register the smartnet on that device and place a support call. Though it's a 'creative' solution it worked for me.
0
 
denver218Author Commented:
:)Yeah, I've done that before.  I'm concerned if the Active ASA fails, this is the ASA that has the SSM that has contract/license, it will fail over to the standby ASA, but the SSM in the standby ASA will not have a license so it will not have active signatures.  Unless I can manually download the SSM signatures and install them on the second SSM without a license?  I just quoted one SSM, and it came out to $2,700.  There is no way I can afford another $2,700 license.  I mean only one of the devices are active at a time.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Ernie BeekExpertCommented:
Oh wait, you're talking license not smartnet?
So then you have a plus license (?) because there is a default license on the ssm20.
0
 
denver218Author Commented:
I guess I'm confused.  I have two ASA5520's in Active/Standby Failover.  Both of these ASA's have a smartnet contract.  I recently purchased two SSM-20 modules, they are used, but currently don't have a valid license.  The SSM-20 says "there is no license key installed on the SSM-IPS 20", please go to www.cisco.com/go/license to obtain a new license.  I want to put these modules in the ASA's.  So what I did was go to the Cisco Service Contract Center website and quoted the S/N for each SSM-20.  I quoted the serial # for this contract - IPS Svc AR NBD (SU1).  It comes back with a $2,700 price tag.  Both of them do.  I'm guessing this gives me the license.  So since neither have a license key, I am probably going to have to purchase one for both.  Would you agree?
0
 
Ernie BeekExpertCommented:
I think I agree........

You purchased used modules so the default license has expired (?)

Then I'm afraid you'll need one for both :-~

As per Cisco:

Two services are required for the effective operation of the CSC-SSM: Software update service and Cisco SMARTnet®. First year of software update service for base feature set is included in the base price of the product for the first year of service as measured from time of license registration. Customers are required to purchase Cisco maintenance separately for an additional fee (SMARTnet or equivalent, for example). This SMARTnet service fee is not included in the base price of the product for the first or subsequent years.

As you allready figured out, the license key is linked to the serial of the device. So two devices, two serials.
0
 
Ernie BeekExpertCommented:
Hi ken, where did you came from all of a sudden.
Did it really take me eight minutes to type that comment?

;)
0
 
Ken BooneNetwork ConsultantCommented:
Ernie,
Yea that happens to me all the time ;)
0
 
denver218Author Commented:
Well that stinks:(  I think I will need to purchase a license for both then.  If not I can do what Ken stated and not have a license on the standby SSM, but as he said,  if failover occured that SSM would have outdated signatures, so there would be some vulnerability.

As far as ASA failover is concerned, since the SSM's are independent, it doesn't matter if one of the SSM's doesn't have a license right?  This won't break failover right?  I wouldn't think it would.

I very surprised that Cisco doesn't have some sort of shared license for this.  I feel I am being ripped off.  I can only use one at a time, the ASA's are in Active/Standby.  I guess this is the price you pay for security.
0
 
Ernie BeekExpertCommented:
No failover won't break, as you stated.

And indeed, security will cost you (and cisco as well ;) . Though indeed it is strange that they do have a separate licensing for failover bundles but not for the additional SSMs.
0
 
Ken BooneNetwork ConsultantCommented:
Yea and the other thing that stinks is that the configuration doesn't sync between them like on the CSC modules.  The CSC modules are independent but you can sync them.  With the SSM each time you configure a filter, you need to make sure you do it on both of the units.  And.. if the other unit doesn't have all the sigs, then you might not be able to set the same filter.  Have fun.  In either case download the free IME software and install that and get that set up.  It is is much easier to view what is going on with the sensors and you can set up alerting with it as well.
0
 
Ernie BeekExpertCommented:
@ken: hehe, this time I saw your comment before I started typing. So that safed me some work :)
0
 
Ken BooneNetwork ConsultantCommented:
Always trying to help a brother out ... ;)
0
 
denver218Author Commented:
Thanks guys, I really appreciate your help.  I think to start I am only going to purchase a license for one SSM-20.  If failover occurs, I will just try and get the main unit back online as quick as I can since the standby unit will not have a license:)  I will have a 4hr response time on the one contract I purchase.  Maybe later down the line then I will be able to get a license for the SSM in the failover unit.  Thanks again!
0
 
Ernie BeekExpertCommented:
I think I may speak for the both of us when I say: you're welcome & thx 4 the points (and save Ken from some typework ;)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.